23542300x800000000000000076035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:21.722{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DEBE9352D34579CA936A8DAA8649CBB,SHA256=7EB8ACD9989F7644DDB9FF3845A8EC3B6A3EE42A3F0EFEDD29769EDBFAB29CCC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:21.685{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2E00-00000000BA02}2692C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 23542300x800000000000000033960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:21.526{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79A0D2E1DF8CB19FD291F124D21784C5,SHA256=C26DAE4C17FA4C4F11D2C1AC15199F460C33F7832516AE1DFE1E4DDE9B1FB006,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:21.679{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000076032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:21.674{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2B00-00000000BA02}2664C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 354300x800000000000000076031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:19.798{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49349-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000076030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:21.097{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000076029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:21.090{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000076028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:21.081{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000076027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:21.053{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2700-00000000BA02}2576C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000076026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:21.049{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2600-00000000BA02}2568C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000076025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:21.040{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2500-00000000BA02}2484C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000076024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:21.030{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED14-63D0-2300-00000000BA02}2340C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000076023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:21.027{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1800-00000000BA02}1992C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000076022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:21.018{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1700-00000000BA02}1492C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000076021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:21.010{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1600-00000000BA02}1324C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000033959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:21.035{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FB5F-63D0-3102-00000000BB02}3068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000033958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:21.025{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED83-63D0-8200-00000000BB02}508C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000033957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:21.023{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED1B-63D0-6D00-00000000BB02}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000033956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:21.021{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000033955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:21.020{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-4000-00000000BB02}1980C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000033954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:21.014{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-3C00-00000000BB02}2964C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000033953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:21.012{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2B00-00000000BB02}2876C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000033952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:21.009{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2600-00000000BB02}2596C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000033951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:21.006{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2500-00000000BB02}2436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000033950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:21.003{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2200-00000000BB02}1172C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000033949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:21.000{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 23542300x800000000000000076037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:22.735{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B33C5AF2D4716B11064380BB75E1575E,SHA256=0F5E0BFEA78FE0AED42281F0D6B274999A3845589A5F7E2D101FB60C93C85DA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:22.577{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFE9BD8EBE3627108246BC6F77E2BFF0,SHA256=6A3574DABD0A107C78C0DA64ED8090F36F273A12B3C4EFC3EA092614781DC5B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:22.449{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ilosieif.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:23.793{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F399AA4F974CBAC63C4043E2EABB3AA,SHA256=4E14B55D6EDA06EB1B9FCBD4467F22ECAC90D57FF6AC3BEDC0FEFD07E6002D07,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:23.738{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3300-00000000BA02}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 23542300x800000000000000033966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:23.655{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33F5E8F4AC7DA7AE015A990B4D10619D,SHA256=FA4A02ABB2A83AE5DA1D99E41507A174CA7B9527070E04BC2CBA17C441DBCA62,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:23.736{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3100-00000000BA02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000076038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:23.733{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2F00-00000000BA02}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000033965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:23.231{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED08-63D0-0B00-00000000BB02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:23.231{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED08-63D0-0B00-00000000BB02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:23.231{72106695-ED08-63D0-0B00-00000000BB02}6243468C:\Windows\system32\lsass.exe{72106695-ED08-63D0-1500-00000000BB02}108C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:23.218{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1F00-00000000BB02}2000C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000033967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:24.734{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E988748768D5C95C5618F254373B5709,SHA256=5BCC9ABF22512CBAD757B3427414B4975B3962737332520E836F1B0D9C04EE61,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:24.466{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99E-63D0-4403-00000000BA02}4716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000076070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:24.464{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4303-00000000BA02}220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000076069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:24.461{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4203-00000000BA02}8108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000076068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:24.458{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99C-63D0-4103-00000000BA02}4940C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000076067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:24.455{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F998-63D0-3F03-00000000BA02}6856C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000076066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:24.453{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F993-63D0-3A03-00000000BA02}5848C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000076065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:24.449{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F990-63D0-3703-00000000BA02}5072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000076064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:24.445{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F990-63D0-3603-00000000BA02}7836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000076063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:24.442{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3403-00000000BA02}8152C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000076062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:24.437{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3303-00000000BA02}5868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000076061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:24.433{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3203-00000000BA02}1380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000076060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:24.424{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3103-00000000BA02}7700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000076059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:24.402{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000076058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:24.385{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000076057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:24.383{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A202-00000000BA02}5720C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000076056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:24.380{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A102-00000000BA02}7492C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000076055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:24.373{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F3FF-63D0-5202-00000000BA02}7716C:\Program Files\Process Hacker 2\ProcessHacker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000076054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:24.366{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED93-63D0-C200-00000000BA02}5684C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000076053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:24.335{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000076052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:24.318{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000076051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:24.287{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000076050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:24.278{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-8E00-00000000BA02}432C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000076049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:24.267{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4D-63D0-8900-00000000BA02}4888C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000076048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:24.261{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED36-63D0-8100-00000000BA02}4176C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000076047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:24.260{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED35-63D0-7F00-00000000BA02}3432C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000076046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:24.257{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED2C-63D0-7B00-00000000BA02}532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000076045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:24.255{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000076044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:24.254{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1B-63D0-4500-00000000BA02}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000076043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:24.251{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-4100-00000000BA02}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000076042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:24.250{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-3800-00000000BA02}3276C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 23542300x800000000000000033968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:25.810{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B25C5972D9DF48A6CEAC05CD965BFA1,SHA256=8D6E6B32AF0B28729164E7AD43AF642D5B49541DC20E1C2E753FD792A7F17CE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:25.151{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD04E4CE99BF1F71C56753C4FB01DFF5,SHA256=58F22955E0449B2CDB754C73F9AD070147225296839278FD50EFD39620F60705,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:26.877{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CE4F4755C0FF27B4BAF1DF8CEBC1F13,SHA256=042760D80797534E898F4D3323F0762350C98E9DA0D3DB1B5DF8CBC30123A57D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:26.265{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9026C56634F81F547892DF5C1669401,SHA256=1201E2CC5DF1584259D39F8F83125807C6524EA54B52056A71722B467BD146FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:26.580{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FBDA-63D0-4002-00000000BB02}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:26.580{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:26.580{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:26.580{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:26.580{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:26.580{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:26.580{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:26.580{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:26.580{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:26.580{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:26.580{72106695-ED07-63D0-0500-00000000BB02}4081028C:\Windows\system32\csrss.exe{72106695-FBDA-63D0-4002-00000000BB02}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:26.580{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FBDA-63D0-4002-00000000BB02}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:26.581{72106695-FBDA-63D0-4002-00000000BB02}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:26.085{72106695-ED09-63D0-2000-00000000BB02}2008NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:27.972{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AEB76B88A02E7E38D0FAD5A2EBC76B1,SHA256=8359F316765521FC26AB01C5122EF9E02B5EFB3DCAC14F7D4ABE478C59B488C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:27.925{72106695-FBDB-63D0-4202-00000000BB02}9602616C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000076075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:25.670{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49350-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000076074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:27.387{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71009643AE7BA31AF93C60F396554DB3,SHA256=F663064A1D9899A66609B615ED8B0A2C096A8B8957FF95C86E738DE441A86F8E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:27.785{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FBDB-63D0-4202-00000000BB02}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:27.785{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:27.785{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:27.785{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:27.785{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:27.785{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:27.785{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:27.785{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:27.785{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:27.785{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:27.785{72106695-ED07-63D0-0500-00000000BB02}4082644C:\Windows\system32\csrss.exe{72106695-FBDB-63D0-4202-00000000BB02}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:27.785{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FBDB-63D0-4202-00000000BB02}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:27.786{72106695-FBDB-63D0-4202-00000000BB02}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:27.707{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D216B6F63BFA25564000702778FAC4A,SHA256=EDAE2B18AF91B6BDDA661C9529E291355D468ECFC0EDE1F17598169CA4DAE77D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:27.197{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=D71B357874853787B3FC1F211CBDB51D,SHA256=8EC743A9F30A51463455C50AC36327A8DEC1B615CA4C362955CA902E7FE1E530,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:27.133{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:27.133{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:27.133{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:27.133{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:27.133{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FBDB-63D0-4102-00000000BB02}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:27.131{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:27.131{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:27.131{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:27.131{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:27.131{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:27.130{72106695-ED07-63D0-0500-00000000BB02}4081028C:\Windows\system32\csrss.exe{72106695-FBDB-63D0-4102-00000000BB02}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:27.130{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FBDB-63D0-4102-00000000BB02}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:27.130{72106695-FBDB-63D0-4102-00000000BB02}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000033984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:23.959{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50453-false10.0.1.12-8000- 354300x800000000000000076077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:26.343{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49351-false172.217.0.170yyz08s10-in-f170.1e100.net443https 23542300x800000000000000076076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:28.433{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2652685AA41029F076F45A6CCA93AE4E,SHA256=5CD76A788BBC1D45C09722995AE987AF135128C5D237E6BC0968A3FC79D519CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:28.396{72106695-ED09-63D0-2000-00000000BB02}2008NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=8913DF4E8EB65DD8DC9370B2E729D01F,SHA256=6FB4320B0764F9E69A2EE00C0093399958E7D2DE77804ABC56845746AB369DD9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:24.966{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50454-false10.0.1.12-8089- 23542300x800000000000000076078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:29.525{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C6EAF0AD42EF83044DFE60F3F806BD1,SHA256=F01B473B8DA517C72012262C56C46D9DC03E092FFAFC6DC331910B235D88F3BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:29.347{72106695-FBDD-63D0-4302-00000000BB02}26202512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:29.207{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FBDD-63D0-4302-00000000BB02}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:29.207{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:29.207{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:29.207{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:29.207{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:29.207{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:29.207{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:29.207{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:29.207{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:29.207{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:29.207{72106695-ED07-63D0-0500-00000000BB02}4082644C:\Windows\system32\csrss.exe{72106695-FBDD-63D0-4302-00000000BB02}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:29.207{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FBDD-63D0-4302-00000000BB02}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:29.208{72106695-FBDD-63D0-4302-00000000BB02}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:29.052{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBA0DFC9DE92484619C7DBE21585D1C8,SHA256=4E894B7F22A6DCA1C05A1030062792D63AC59F87FC3791EAAEA135D72BD4FFC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:30.670{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A6DED167B2313DD2BEE8A1F7373C3B8,SHA256=23ECFC27D07BA9D78814E21AA4E2227C5D0184337CC2C558CA2EB9B24666F81E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:30.598{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\ilosieif.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.vlpsetMD5=B50CF628E0082A7840D84D0CBE1CAD48,SHA256=544DF79BCEF9DC8E082021E342C2A1B12CD0B8BDAF3687E0F23785406EDF33AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:30.598{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\ilosieif.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.sbstoreMD5=F130C472E963FF3CEED251C65964B927,SHA256=E5D2A5BBE8AA43751EF7F7BC3A817A0963D56272A4C9B6055E60929606186CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:30.598{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\ilosieif.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.vlpsetMD5=5F93E0F827909390D257EBB27C77F392,SHA256=5BCB684F3EE3B2EC2F4945655FBEF281C487399D6BF90451647DB1761715D4C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:30.598{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\ilosieif.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.sbstoreMD5=9275B832091D9E3BFE50898A3BE022B5,SHA256=38C52A5435B625083000A054489B95E033F7B352377510DF668CEE749DE5803E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:30.598{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\ilosieif.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.vlpsetMD5=8AC8A05028631170937EDA4CF0E0A35A,SHA256=456AB2C0E4E117D62DC529362EB22C725D410098868442729ADE5E4FF0822E78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:30.598{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\ilosieif.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.sbstoreMD5=7BBA9B83F0F213C5A723209D4C9962CE,SHA256=E1B8E7DEB0F34EEB6BF4D10E47E734A1FE829C365DF360B98646D7E11F2DD4C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:30.598{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\ilosieif.default-release\safebrowsing-updating\social-track-digest256.vlpsetMD5=5747CA1E1576D458D3F6DC2484EC7417,SHA256=7DDB690294FD365660A3C1B9CBE9A094B156E9BB7508AD770431A50272C3F7CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:30.598{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\ilosieif.default-release\safebrowsing-updating\social-track-digest256.sbstoreMD5=F2B926AE99C7939A916918AB01A33F2F,SHA256=8114D3A16DB469A3519C773AE2489F89778B212FDF73C6D7A15E98170F2DF4CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:30.598{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\ilosieif.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.vlpsetMD5=527830308D13C74A6D66901E8A602A4B,SHA256=7FDC9CC74A44EAFBC50EAB63C55956EE93CB1066D2C36D71DB3A725AF969E751,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:30.594{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\ilosieif.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.sbstoreMD5=C1A9CF32AB5213A7036B4BD6AF156C66,SHA256=BA022FB6993ACC15C243F547A1542B35C0701CF108637C9ADD529BDC042993F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:30.591{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\ilosieif.default-release\safebrowsing-updating\mozplugin-block-digest256.vlpsetMD5=FCC9C2C9B611A3264B68EBE180EB4248,SHA256=6ECD378A537EEFE350B45CFA353741383F407D99D776BF23155A7825DC5DD2BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:30.589{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\ilosieif.default-release\safebrowsing-updating\mozplugin-block-digest256.sbstoreMD5=519BEB1B01FC355BB388F1F75BE997FD,SHA256=FFE2D3077B81AE6F51B220C1C661B276C823FA67DAD1D64FC5F17249FC54BDC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:30.588{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\ilosieif.default-release\safebrowsing-updating\google4\goog-unwanted-proto.vlpsetMD5=45320982713CF306706A2B6E7916CA91,SHA256=D1A1029E1EC1AEEEBD31A3EA2594CBE9429F031742E1A7E7149DE4906BF8FCA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:30.586{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\ilosieif.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=05697D239263D225C95AF5F6E1F23F65,SHA256=9613EF83B0CB9A40BD417C29BC0ADD17109927606F59F88682482F143285ADDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:30.585{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\ilosieif.default-release\safebrowsing-updating\google4\goog-phish-proto.vlpsetMD5=C1E7B53BBB051518C277984CF39271C6,SHA256=BB663C5AC12B92B8ACEB4B17EF4ED7C79D1D846EF40B5D15A6FC98CD535E0767,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:30.528{72106695-FBDE-63D0-4402-00000000BB02}13162460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:30.357{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FBDE-63D0-4402-00000000BB02}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:30.357{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:30.357{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:30.357{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:30.357{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:30.357{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:30.357{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:30.357{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:30.357{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:30.357{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:30.357{72106695-ED07-63D0-0500-00000000BB02}408524C:\Windows\system32\csrss.exe{72106695-FBDE-63D0-4402-00000000BB02}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:30.357{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FBDE-63D0-4402-00000000BB02}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:30.359{72106695-FBDE-63D0-4402-00000000BB02}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:30.130{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09924FE6BEF2FA1B46861EFB6703A046,SHA256=23603B68A10FA6DAAEA98317563E3B61E638DF975DCE4CBE1DDF9B938AAB133E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:30.420{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\ilosieif.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=068929DF2B3F90A1542B4C8B48C74CD0,SHA256=DCBFAF3B1CB4040FDF9E00742E9666FF798CEC472200D0A1CB8EB1EE7E05D6D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:30.420{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\ilosieif.default-release\safebrowsing-updating\google4\goog-malware-proto.vlpsetMD5=0BE995BDB2F4A98B5F2FC40AAFDC2B65,SHA256=FA6B7853FB7F496D953508414C64A85C92E7669291E3C0CEF2D0270412EC8C59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:30.420{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\ilosieif.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=4A77E4567F4F6466FE5396E8FAC679C8,SHA256=C1492CD7F152C784846C0CA164CB3539193AC4A9F5B2F7189247D575866A8748,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:30.420{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\ilosieif.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.vlpsetMD5=B0272F5CF9F56F11C856155DC5F40BE1,SHA256=74AB81A1929A8806D559A13140947F076CABA52BF882364C416EF4D8E9B155F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:30.420{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\ilosieif.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.metadataMD5=73E7AF7791535A9F32DB6464D922C401,SHA256=C02922616DABBEE9E26AF5A1F75121204F6B9BE3E622B6CF28AAC3FF01BCAE26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:30.420{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\ilosieif.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.vlpsetMD5=983D50E2843387E40B44B5A61064C7AE,SHA256=7ED4C7BB5A88D06025DF71B86DE7F71D16B17C3928EC9B6D7647BAC277A2095A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:30.404{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\ilosieif.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=473F294EBF43EAF20BEA745EEA81F8CE,SHA256=F1AEF4A4EA44C599CE81534DEA2831ED95A23D8600AB092071459218C43CD919,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:30.404{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\ilosieif.default-release\safebrowsing-updating\google-trackwhite-digest256.vlpsetMD5=E54E5B84194EEE15E64D2A03F1136BB7,SHA256=07707B589BE3DBA3BB0BDAC67760A2B180EA3531E9D7976B73E4C1D8DF9DBB1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:30.395{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\ilosieif.default-release\safebrowsing-updating\google-trackwhite-digest256.sbstoreMD5=FEC9BC354A7EE92C6FEEFE63E6B0FA26,SHA256=258EF8E6994A09FFB54BD0D5AFEC97C13C31F2EEFB7FE90A2A4C487C87817519,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:30.395{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\ilosieif.default-release\safebrowsing-updating\content-track-digest256.vlpsetMD5=8DE809C096426850F0E591F69AF5979B,SHA256=274494D797A313FB8EFA2F5A82F160E186F1F36310186BC63E69256FEEC41A21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:30.395{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\ilosieif.default-release\safebrowsing-updating\content-track-digest256.sbstoreMD5=236B41BB6185C0BC2BA9245724E73BBF,SHA256=F4619D8820A61E0A9A187422DE0E97A8D21F63397848E1D61FE3177F8FB48186,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:30.395{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\ilosieif.default-release\safebrowsing-updating\content-email-track-digest256.vlpsetMD5=36713723A0C0C8612D524929DC29C10D,SHA256=0508CC0A1113565117DCA5AE294B1B760BF3760FECCE2DCD301C8B7B0228E30D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:30.395{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\ilosieif.default-release\safebrowsing-updating\content-email-track-digest256.sbstoreMD5=2C126E7268C6F11692BE11629C2FF7C6,SHA256=1B96CEFEA79E6F74B64B76820FADE940636EB9F5CD4B35E65584C85B004989F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:30.395{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\ilosieif.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.vlpsetMD5=AF32B9C2D675A714BD311805808AEC14,SHA256=7E3B35252F739A8E1469314A4FE3CF4B9AC906E0BBEA9F4E88F31F15C30B93DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:30.380{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\ilosieif.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.sbstoreMD5=A5ABC81A6FE923E8DB43F979B10AD3BD,SHA256=B7CEA440E3ED079766AC192B672DF4DC17B36C740F9B17B32BBCB4E54AEF231E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:30.380{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\ilosieif.default-release\safebrowsing-updating\base-email-track-digest256.vlpsetMD5=180B597663D98AB1B5E09ED8EB61D6F4,SHA256=5A142D44D91F33D4EBD7AE81DA219C8EE0023BA8328DC2F5F1AC3FC2F8808314,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:30.380{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\ilosieif.default-release\safebrowsing-updating\base-email-track-digest256.sbstoreMD5=97239BC16E55CC1B0BED952E65610EE1,SHA256=27F32FC0B6D03158284FB804569EA171CE99E7A08276B68C7E16B4BC254B67FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:30.380{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\ilosieif.default-release\safebrowsing-updating\base-cryptomining-track-digest256.vlpsetMD5=82E921320B62879B070EBE9D8F1F4256,SHA256=A781BFF04964067CB06EA80DA605A4A2837F7256580693C6DBDCA971D8C9BDB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:30.380{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\ilosieif.default-release\safebrowsing-updating\base-cryptomining-track-digest256.sbstoreMD5=BB9BB51CB484CC5719D210D53CF37762,SHA256=1903A36C25AEB3C61953484ED931ED52AB4A3BD13FCC38046154A6681472D499,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:30.380{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\ilosieif.default-release\safebrowsing-updating\analytics-track-digest256.vlpsetMD5=00E12F637CA3DBDCD1700E797EAE9522,SHA256=5F22E3810F487A0ED1E1680C7CF9CC33749E409389B386BA367C00ACFCF5C4B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:30.380{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\ilosieif.default-release\safebrowsing-updating\analytics-track-digest256.sbstoreMD5=88B44DC75B1D0E8B36B9BAFD82E73053,SHA256=6D7B3C150EA8E3DBD9FB4C521E5AFB2C7D9556BFF0BEAAA2661F3C3420AAA930,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:30.380{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\ilosieif.default-release\safebrowsing-updating\ads-track-digest256.vlpsetMD5=EA8FC2B1E715FF5F0D99177063DEC900,SHA256=1D20EE535B3A5CC08F514B342B32398677B5CCA3C5E3F1CE5B74370B2361B688,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:30.380{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\ilosieif.default-release\safebrowsing-updating\ads-track-digest256.sbstoreMD5=801B0CE649BB5EA80E92323DB6ED3A64,SHA256=4B7725D4DC97F1EF4A544E13CD559CE6A945B5DFF1C27A4CD0750E5D42C91FA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:30.349{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\ilosieif.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=473F294EBF43EAF20BEA745EEA81F8CE,SHA256=F1AEF4A4EA44C599CE81534DEA2831ED95A23D8600AB092071459218C43CD919,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:30.334{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\ilosieif.default-release\safebrowsing-updating\google4\goog-badbinurl-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:30.221{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\ilosieif.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=05697D239263D225C95AF5F6E1F23F65,SHA256=9613EF83B0CB9A40BD417C29BC0ADD17109927606F59F88682482F143285ADDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:30.202{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\ilosieif.default-release\safebrowsing-updating\google4\goog-unwanted-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:30.169{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\ilosieif.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=4A77E4567F4F6466FE5396E8FAC679C8,SHA256=C1492CD7F152C784846C0CA164CB3539193AC4A9F5B2F7189247D575866A8748,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:30.149{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\ilosieif.default-release\safebrowsing-updating\google4\goog-malware-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:30.078{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\ilosieif.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=068929DF2B3F90A1542B4C8B48C74CD0,SHA256=DCBFAF3B1CB4040FDF9E00742E9666FF798CEC472200D0A1CB8EB1EE7E05D6D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:30.008{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\ilosieif.default-release\safebrowsing-updating\google4\goog-phish-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:31.654{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FC9F7C2AE6B9283D11A6C24D9BDDC61,SHA256=48895170C5EDEA13E10FDF625A7AC7E711329D76B2C0E4C0A38A4C617322AD4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:31.480{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA8DB2AFE2C7127627781FEB33851C8F,SHA256=98FE1570CE5C07C8164A5043E4FF6D6AB9DACFE8BF6C9BB0C6B3D36FB0D6FFE9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:31.178{72106695-FBDF-63D0-4502-00000000BB02}34763716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000076126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:31.114{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ilosieif.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:31.024{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FBDF-63D0-4502-00000000BB02}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:31.024{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:31.024{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:31.024{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:31.024{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:31.024{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:31.024{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:31.024{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:31.024{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:31.024{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:31.024{72106695-ED07-63D0-0500-00000000BB02}408424C:\Windows\system32\csrss.exe{72106695-FBDF-63D0-4502-00000000BB02}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:31.024{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FBDF-63D0-4502-00000000BB02}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:31.025{72106695-FBDF-63D0-4502-00000000BB02}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000076128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:32.673{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EC8B1CF7659601F68C2EE7F61196DCB,SHA256=E9C5D82C316D156F27DCEF928142C5F65923E5274C312528A811020117670279,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:32.811{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FBE0-63D0-4602-00000000BB02}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:32.811{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:32.811{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:32.811{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:32.811{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:32.811{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:32.811{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:32.811{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:32.810{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:32.810{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:32.810{72106695-ED07-63D0-0500-00000000BB02}4082644C:\Windows\system32\csrss.exe{72106695-FBE0-63D0-4602-00000000BB02}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:32.810{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FBE0-63D0-4602-00000000BB02}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:32.809{72106695-FBE0-63D0-4602-00000000BB02}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:32.283{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8727A47E66CFB525F34B3FC73ADE28A9,SHA256=FBCF1C11EBEFA03C412BBADB478EC1390F963C4E8E63A0D143465D40FA07EF3E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:29.042{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50455-false10.0.1.12-8000- 23542300x800000000000000076130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:33.792{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CF811FF3024EF01592F28FE060E2C56,SHA256=AA032F2C8EA799CE8870E46F02BB5E36B49A4C029DEC1D5F6B9D52756FA3D189,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:33.877{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=35DA5F5B2D9F273039BDFC03DEACB530,SHA256=590E3C91D8411BD84D01C86820176AB530A4C7FED00171CA3BB3D7F2E01D10AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:33.254{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C6B7DDF5BD65D19BA3FD35893ED13A4,SHA256=D598AD162B50A38002A3973A215CAA0C7AC86A22BAF14C30F3830DBF3A4F6113,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:30.790{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49352-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000076131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:34.943{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CE37B08BFC2A5583E7CA09988273991,SHA256=B3F2CABF0873D334940EF0080C51F0494E97C1A2B30B03B005D10771E04A7833,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:34.334{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBB6DE6D499A458CDE7FA8D00B5E0059,SHA256=F570F7449A1B164209FBCB96FE0EFB951264803D1199A4C6734C628685270AD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:35.425{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C97F756A0B665DCF4B29B02F2B220E5F,SHA256=90A1D9F71ABCF84AA209B2D47BF75868CA374D781F3745367C83BB6B508290CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:36.518{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1719C36D2CB78D92A2F9D7A24DF75D40,SHA256=8323302036173502C960CCA40CE59FEA38AC355E05C042E6D54421942808CF11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:36.074{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92CDC9457F2315FB51C8AC01B8126407,SHA256=B2B4B03557B203E2010387F463F96DDE943791E0866DE88BD0FF38283F65FB27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:37.603{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3A3BF6DF1623D1DA32FC205E1D178AD,SHA256=D563FB135FD411BD66EE51C8B669AF56295C85177606A5BBF6D792381DCD55D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:37.193{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=256BE6274DBD33E8BD18C67884F995D3,SHA256=C0CABD4A1B8B207CABE56AA7EC13D586DDD134F8BD0C0FAD3BDDD42A74CD581B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:38.677{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9BAF96738FA486C709345230403F83B,SHA256=68C1198195DECB79A2C642BE77D4187FB35E29C01B176B67AD950156F7C6EF3A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:36.712{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49353-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000076134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:38.245{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94745AF45F3A5CD1D19642662A58C1E1,SHA256=BB8BECBEAB405E99A32F0881627376DA004D75B91297D09C93EB85807C1A9E42,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:34.943{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50456-false10.0.1.12-8000- 23542300x800000000000000034085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:39.761{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=570D0886F901446F368850D216BBF745,SHA256=C11A911C5C1783B14568E6A33D48BA3BC84D18A2E0236C8F7F13A6459822DC98,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000076139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:39.576{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ilosieif.default-release\AlternateServices-1.txt2023-01-25 09:52:39.576 23542300x800000000000000076138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:39.576{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ilosieif.default-release\AlternateServices-1.txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000076137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:39.576{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ilosieif.default-release\AlternateServices-1.txt2023-01-25 09:52:39.576 23542300x800000000000000076136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:39.378{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84BC3F49B75735A3C4E4F2E119698988,SHA256=54961DCD9BE0C6D9C9F89BC682832FF4B0BFB27F9DB3265F47CD141B8CABC54A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:40.993{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:40.991{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1C00-00000000BB02}1892C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:40.990{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1A00-00000000BB02}1856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:40.985{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1800-00000000BB02}1732C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:40.981{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1700-00000000BB02}1240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:40.969{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1600-00000000BB02}1192C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:40.953{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1500-00000000BB02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:40.946{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1400-00000000BB02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:40.941{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1300-00000000BB02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:40.936{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1200-00000000BB02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:40.930{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1100-00000000BB02}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:40.925{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1000-00000000BB02}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:40.920{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0F00-00000000BB02}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:40.914{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0E00-00000000BB02}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:40.909{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0D00-00000000BB02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:40.903{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:40.886{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0B00-00000000BB02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:40.884{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0900-00000000BB02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x800000000000000034086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:40.843{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC5B3F416C265D3377985C30C7A365B2,SHA256=92BEB5E188EDE7C6C114C0D3C19BD049C195F8DAE13797E844B79891A33045F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:40.988{45AAC21C-ED5C-63D0-A400-00000000BA02}53205468C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1500-00000000BA02}1152C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838F10) 10341000x800000000000000076154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:40.982{45AAC21C-ED5C-63D0-A400-00000000BA02}53205468C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1400-00000000BA02}344C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838F10) 10341000x800000000000000076153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:40.976{45AAC21C-ED5C-63D0-A400-00000000BA02}53205468C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1300-00000000BA02}364C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838F10) 10341000x800000000000000076152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:40.964{45AAC21C-ED5C-63D0-A400-00000000BA02}53205468C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1200-00000000BA02}408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838F10) 10341000x800000000000000076151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:40.954{45AAC21C-ED5C-63D0-A400-00000000BA02}53205468C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1100-00000000BA02}704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838F10) 10341000x800000000000000076150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:40.917{45AAC21C-ED5C-63D0-A400-00000000BA02}53205468C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1000-00000000BA02}444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838F10) 10341000x800000000000000076149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:40.901{45AAC21C-ED5C-63D0-A400-00000000BA02}53205468C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0F00-00000000BA02}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838F10) 10341000x800000000000000076148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:40.887{45AAC21C-ED5C-63D0-A400-00000000BA02}53205468C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0E00-00000000BA02}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838F10) 10341000x800000000000000076147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:40.876{45AAC21C-ED5C-63D0-A400-00000000BA02}53205468C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0D00-00000000BA02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838F10) 10341000x800000000000000076146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:40.869{45AAC21C-ED5C-63D0-A400-00000000BA02}53205468C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0C00-00000000BA02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838F10) 10341000x800000000000000076145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:40.826{45AAC21C-ED5C-63D0-A400-00000000BA02}53205468C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838F10) 10341000x800000000000000076144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:40.822{45AAC21C-ED5C-63D0-A400-00000000BA02}53205468C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0900-00000000BA02}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838F10) 23542300x800000000000000076143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:40.478{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7196E09C4E824A7BF096D5B1299D801,SHA256=53249CDCA6373757782E2A34646E2DF78C5BD9A9FD77E6D4D2D8C9E65E579728,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:40.305{45AAC21C-ED4E-63D0-9300-00000000BA02}1336888C:\Windows\Explorer.EXE{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+7d960|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF801D850B2A8)|UNKNOWN(FFFFC72308993998)|UNKNOWN(FFFFC72308993B17)|UNKNOWN(FFFFC7230898E1A1)|UNKNOWN(FFFFC7230898FB6A)|UNKNOWN(FFFFC7230898DE26)|UNKNOWN(FFFFF801D817FC03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+811bb|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd 10341000x800000000000000076141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:40.305{45AAC21C-ED4E-63D0-9300-00000000BA02}1336888C:\Windows\Explorer.EXE{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7d441|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF801D850B2A8)|UNKNOWN(FFFFC72308993998)|UNKNOWN(FFFFC72308993B17)|UNKNOWN(FFFFC7230898E1A1)|UNKNOWN(FFFFC7230898FB6A)|UNKNOWN(FFFFC7230898DE26)|UNKNOWN(FFFFF801D817FC03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+811bb|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000076140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:40.305{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF3a256f.TMPMD5=4DF8043D988875F196E7170EB48ADC55,SHA256=C4660FA4B1BB90DD96D9F3B0818855B399BF0E5C3D38653DC439DAD480C79018,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:41.543{45AAC21C-ED5C-63D0-A400-00000000BA02}53205468C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2E00-00000000BA02}2692C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838F10) 10341000x800000000000000076168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:41.539{45AAC21C-ED5C-63D0-A400-00000000BA02}53205468C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838F10) 10341000x800000000000000076167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:41.535{45AAC21C-ED5C-63D0-A400-00000000BA02}53205468C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2B00-00000000BA02}2664C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838F10) 23542300x800000000000000076166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:41.533{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEA64D06DA938A036E0E61FA2FD9E0F3,SHA256=E75559C6397FA75B43266D890060DFA707D3C7A127024EBF51C938DC32499E5E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:41.017{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FB5F-63D0-3102-00000000BB02}3068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:41.015{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED83-63D0-8200-00000000BB02}508C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:41.014{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED1B-63D0-6D00-00000000BB02}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:41.012{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:41.011{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-4000-00000000BB02}1980C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:41.009{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-3C00-00000000BB02}2964C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:41.009{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2B00-00000000BB02}2876C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:41.008{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2600-00000000BB02}2596C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:41.006{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2500-00000000BB02}2436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:41.004{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2200-00000000BB02}1172C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:41.001{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000076165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:41.060{45AAC21C-ED5C-63D0-A400-00000000BA02}53205468C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838F10) 10341000x800000000000000076164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:41.054{45AAC21C-ED5C-63D0-A400-00000000BA02}53205468C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838F10) 10341000x800000000000000076163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:41.046{45AAC21C-ED5C-63D0-A400-00000000BA02}53205468C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838F10) 10341000x800000000000000076162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:41.023{45AAC21C-ED5C-63D0-A400-00000000BA02}53205468C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2700-00000000BA02}2576C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838F10) 10341000x800000000000000076161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:41.022{45AAC21C-ED5C-63D0-A400-00000000BA02}53205468C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2600-00000000BA02}2568C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838F10) 10341000x800000000000000076160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:41.013{45AAC21C-ED5C-63D0-A400-00000000BA02}53205468C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2500-00000000BA02}2484C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838F10) 10341000x800000000000000076159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:41.010{45AAC21C-ED5C-63D0-A400-00000000BA02}53205468C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED14-63D0-2300-00000000BA02}2340C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838F10) 10341000x800000000000000076158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:41.008{45AAC21C-ED5C-63D0-A400-00000000BA02}53205468C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1800-00000000BA02}1992C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838F10) 10341000x800000000000000076157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:41.006{45AAC21C-ED5C-63D0-A400-00000000BA02}53205468C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1700-00000000BA02}1492C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838F10) 10341000x800000000000000076156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:41.001{45AAC21C-ED5C-63D0-A400-00000000BA02}53205468C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1600-00000000BA02}1324C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838F10) 10341000x800000000000000076178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:42.879{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FBEA-63D0-8703-00000000BA02}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:42.879{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:42.879{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:42.879{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:42.879{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:42.879{45AAC21C-ED08-63D0-0500-00000000BA02}420788C:\Windows\system32\csrss.exe{45AAC21C-FBEA-63D0-8703-00000000BA02}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000076172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:42.879{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FBEA-63D0-8703-00000000BA02}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000076171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:42.880{45AAC21C-FBEA-63D0-8703-00000000BA02}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000076170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:42.550{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5E1655E47F4561C12F62F1C9BC077D4,SHA256=E6AABED7F06716177D1242F968626234D96D74FD5A5C6C479578FA3B5B759553,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:42.362{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6972BB4E4E18C223993F6A316DBAF311,SHA256=17B3EC484374FEDCE237BA68C828BC0285B36BAB0971336DC5F6DDE7A745E5EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:43.472{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09B7A197DB86F70E88331039836573DC,SHA256=CFA39E965853E7B1DB9304B5627165B2CB08A59291995824F4E4D32BE0E460D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:41.815{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49354-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000076202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:43.640{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38D38D145E59542EFECD40B10F376DC4,SHA256=C02D7D974B850F44E8BEF079F81616C4410861FFD2CA1AA1ECFDEE06FE6BA180,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:43.629{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:43.629{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:43.629{45AAC21C-ED08-63D0-0B00-00000000BA02}636308C:\Windows\system32\lsass.exe{45AAC21C-ED0A-63D0-1000-00000000BA02}444C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:43.598{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED5C-63D0-A400-00000000BA02}5320C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:43.569{45AAC21C-ED5C-63D0-A400-00000000BA02}53205468C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3300-00000000BA02}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838F10) 10341000x800000000000000076196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:43.567{45AAC21C-ED5C-63D0-A400-00000000BA02}53205468C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3100-00000000BA02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838F10) 10341000x800000000000000076195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:43.564{45AAC21C-ED5C-63D0-A400-00000000BA02}53205468C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2F00-00000000BA02}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838F10) 10341000x800000000000000076194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:43.544{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FBEB-63D0-8803-00000000BA02}6524C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000076193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:43.544{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FBEB-63D0-8803-00000000BA02}6524C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000076192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:43.544{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FBEB-63D0-8803-00000000BA02}6524C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000076191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:43.401{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FBEB-63D0-8803-00000000BA02}6524C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:43.399{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:43.399{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:43.399{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:43.399{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:43.398{45AAC21C-ED08-63D0-0500-00000000BA02}420780C:\Windows\system32\csrss.exe{45AAC21C-FBEB-63D0-8803-00000000BA02}6524C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000076185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:43.398{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FBEB-63D0-8803-00000000BA02}6524C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000076184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:43.397{45AAC21C-FBEB-63D0-8803-00000000BA02}6524C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000076183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:43.132{45AAC21C-FBEA-63D0-8703-00000000BA02}60044768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:43.068{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FBEA-63D0-8703-00000000BA02}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:43.067{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FBEA-63D0-8703-00000000BA02}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:43.067{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FBEA-63D0-8703-00000000BA02}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:43.066{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FBEA-63D0-8703-00000000BA02}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000034117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:40.034{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50457-false10.0.1.12-8000- 23542300x800000000000000076250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:44.727{45AAC21C-ED18-63D0-2C00-00000000BA02}2672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=CF81E2342674C719C7990DE623609B7B,SHA256=45650A4AD909076631384CC7424BC5CEBDC53B8CBCFC7513FF52CEE65369735E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:44.636{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA29A7DFC6E4DCFED70AD5A0CFFAE5FF,SHA256=CDF3FA6FF427CA20532A4E45E665DD851416235707A381895073B4823042F08A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:44.543{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4FA30634485B52FD3F950AC69A73D1A,SHA256=12B2F64DF3F35EBE6ADE935899B132E33FBF0F20F918783D6E2F9A568A32E218,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:44.587{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=2FEDE78204D7B43CE4E44A9A054176CB,SHA256=7B0F93CFF68A2285B50E3EBD0AFB67FC2EEE7DB38EB3813EF65CD69F01EB9BCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:44.485{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC5B8DE74310AEC62FF5D25565C6DBE7,SHA256=124C110528889AC1CE792F480BBC99ABEC75F7F2AAA7778A60032DB40FC2B58A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:44.255{45AAC21C-ED5C-63D0-A400-00000000BA02}53205468C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99E-63D0-4403-00000000BA02}4716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838F10) 10341000x800000000000000076245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:44.252{45AAC21C-ED5C-63D0-A400-00000000BA02}53205468C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4303-00000000BA02}220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838F10) 10341000x800000000000000076244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:44.250{45AAC21C-ED5C-63D0-A400-00000000BA02}53205468C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4203-00000000BA02}8108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838F10) 10341000x800000000000000076243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:44.247{45AAC21C-ED5C-63D0-A400-00000000BA02}53205468C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99C-63D0-4103-00000000BA02}4940C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838F10) 10341000x800000000000000076242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:44.244{45AAC21C-ED5C-63D0-A400-00000000BA02}53205468C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F998-63D0-3F03-00000000BA02}6856C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838F10) 10341000x800000000000000076241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:44.242{45AAC21C-ED5C-63D0-A400-00000000BA02}53205468C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F993-63D0-3A03-00000000BA02}5848C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838F10) 10341000x800000000000000076240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:44.239{45AAC21C-ED5C-63D0-A400-00000000BA02}53205468C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F990-63D0-3703-00000000BA02}5072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838F10) 10341000x800000000000000076239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:44.236{45AAC21C-ED5C-63D0-A400-00000000BA02}53205468C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F990-63D0-3603-00000000BA02}7836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838F10) 10341000x800000000000000076238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:44.233{45AAC21C-ED5C-63D0-A400-00000000BA02}53205468C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3403-00000000BA02}8152C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838F10) 10341000x800000000000000076237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:44.230{45AAC21C-ED5C-63D0-A400-00000000BA02}53205468C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3303-00000000BA02}5868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838F10) 10341000x800000000000000076236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:44.228{45AAC21C-ED5C-63D0-A400-00000000BA02}53205468C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3203-00000000BA02}1380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838F10) 10341000x800000000000000076235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:44.220{45AAC21C-ED5C-63D0-A400-00000000BA02}53205468C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3103-00000000BA02}7700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838F10) 10341000x800000000000000076234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:44.201{45AAC21C-ED5C-63D0-A400-00000000BA02}53205468C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838F10) 10341000x800000000000000076233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:44.185{45AAC21C-ED5C-63D0-A400-00000000BA02}53205468C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838F10) 10341000x800000000000000076232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:44.184{45AAC21C-ED5C-63D0-A400-00000000BA02}53205468C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A202-00000000BA02}5720C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838F10) 10341000x800000000000000076231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:44.182{45AAC21C-ED5C-63D0-A400-00000000BA02}53205468C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A102-00000000BA02}7492C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838F10) 10341000x800000000000000076230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:44.178{45AAC21C-ED5C-63D0-A400-00000000BA02}53205468C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F3FF-63D0-5202-00000000BA02}7716C:\Program Files\Process Hacker 2\ProcessHacker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838F10) 10341000x800000000000000076229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:44.176{45AAC21C-ED5C-63D0-A400-00000000BA02}53205468C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED93-63D0-C200-00000000BA02}5684C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838F10) 10341000x800000000000000076228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:44.157{45AAC21C-ED5C-63D0-A400-00000000BA02}53205468C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838F10) 10341000x800000000000000076227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:44.146{45AAC21C-ED5C-63D0-A400-00000000BA02}53205468C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838F10) 10341000x800000000000000076226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:44.121{45AAC21C-ED5C-63D0-A400-00000000BA02}53205468C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838F10) 10341000x800000000000000076225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:44.115{45AAC21C-ED5C-63D0-A400-00000000BA02}53205468C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-8E00-00000000BA02}432C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838F10) 10341000x800000000000000076224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:44.104{45AAC21C-ED5C-63D0-A400-00000000BA02}53205468C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4D-63D0-8900-00000000BA02}4888C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838F10) 10341000x800000000000000076223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:44.099{45AAC21C-ED5C-63D0-A400-00000000BA02}53205468C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED36-63D0-8100-00000000BA02}4176C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838F10) 10341000x800000000000000076222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:44.097{45AAC21C-ED5C-63D0-A400-00000000BA02}53205468C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED35-63D0-7F00-00000000BA02}3432C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838F10) 10341000x800000000000000076221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:44.091{45AAC21C-ED5C-63D0-A400-00000000BA02}53205468C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED2C-63D0-7B00-00000000BA02}532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838F10) 10341000x800000000000000076220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:44.089{45AAC21C-ED5C-63D0-A400-00000000BA02}53205468C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838F10) 10341000x800000000000000076219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:44.087{45AAC21C-ED5C-63D0-A400-00000000BA02}53205468C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1B-63D0-4500-00000000BA02}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838F10) 10341000x800000000000000076218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:44.085{45AAC21C-ED5C-63D0-A400-00000000BA02}53205468C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-4100-00000000BA02}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838F10) 10341000x800000000000000076217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:44.084{45AAC21C-ED5C-63D0-A400-00000000BA02}53205468C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-3800-00000000BA02}3276C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838F10) 10341000x800000000000000076216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:44.067{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FBEC-63D0-8903-00000000BA02}6840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:44.067{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FBEC-63D0-8903-00000000BA02}6840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:44.067{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FBEC-63D0-8903-00000000BA02}6840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:44.067{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FBEC-63D0-8903-00000000BA02}6840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:44.027{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FBEC-63D0-8903-00000000BA02}6840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:44.027{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:44.027{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:44.027{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:44.027{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:44.027{45AAC21C-ED08-63D0-0500-00000000BA02}420780C:\Windows\system32\csrss.exe{45AAC21C-FBEC-63D0-8903-00000000BA02}6840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000076206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:44.027{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FBEC-63D0-8903-00000000BA02}6840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000076205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:44.029{45AAC21C-FBEC-63D0-8903-00000000BA02}6840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000076204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:44.027{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6C441BBBA98C9D5ACB8D49F14E9B6BD,SHA256=D447D0F52764F45816443B6CDBCB1C056216535B514BBFB4C543EBE4A5C5E718,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:43.620{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local49355-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x800000000000000076252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:43.620{45AAC21C-ED18-63D0-2700-00000000BA02}2576C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local49355-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 23542300x800000000000000076251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:45.728{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BE85865227443D11F537EB47CD01CC1,SHA256=1C1FA259F9B7D93BA0A9D1B303BF53534668521259AB758DB3DE37060D696F30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:45.623{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C678DCEF0421D7924E3DDBF7B85F9F9,SHA256=F00E2F1F27BA4641DF917759C96A7E4214C4F4BF4643306C39619275331D086F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:46.754{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0FEE1C0693F478479FFEA01DE4F7667,SHA256=126F006E78DDF726703C0BD58CA3BD4BA7B76ABE74DCEE0F3118B9C4E3F7C394,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:46.712{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D93375C8930E814CED5F7887EED7E55,SHA256=C56B0F37C28AE33143395F0285181D6CD70F2BDD93B87467FC4077E02C9E2544,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:46.485{45AAC21C-FBEE-63D0-8A03-00000000BA02}67727952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:46.208{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FBEE-63D0-8A03-00000000BA02}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:46.206{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:46.206{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:46.205{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:46.205{45AAC21C-ED08-63D0-0500-00000000BA02}420436C:\Windows\system32\csrss.exe{45AAC21C-FBEE-63D0-8A03-00000000BA02}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000076256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:46.205{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:46.204{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FBEE-63D0-8A03-00000000BA02}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000076254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:46.204{45AAC21C-FBEE-63D0-8A03-00000000BA02}6772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:47.790{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFE13E48C2B5D883E7C4C17233755013,SHA256=42966D8EF26C3443AAD38929F28C09515D94ABF8958CD74CF3610F696E91EC2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:47.885{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B93F2D5A389B3F50CF623563E7238DEA,SHA256=3A32EFB226D39F1BFEDA8B8E7D1218D8A53B392C31DB3C914EA2313CBFD18712,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:47.829{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FBEF-63D0-8C03-00000000BA02}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:47.829{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:47.829{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:47.829{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:47.829{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:47.829{45AAC21C-ED08-63D0-0500-00000000BA02}420536C:\Windows\system32\csrss.exe{45AAC21C-FBEF-63D0-8C03-00000000BA02}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000076274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:47.829{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FBEF-63D0-8C03-00000000BA02}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000076273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:47.830{45AAC21C-FBEF-63D0-8C03-00000000BA02}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000076272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:47.567{45AAC21C-FBEF-63D0-8B03-00000000BA02}63487692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:47.329{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FBEF-63D0-8B03-00000000BA02}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:47.329{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:47.329{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:47.329{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:47.329{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:47.329{45AAC21C-ED08-63D0-0500-00000000BA02}420788C:\Windows\system32\csrss.exe{45AAC21C-FBEF-63D0-8B03-00000000BA02}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000076265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:47.329{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FBEF-63D0-8B03-00000000BA02}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000076264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:47.330{45AAC21C-FBEF-63D0-8B03-00000000BA02}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:48.867{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB0C52F91E73C273F35D5D0739A93072,SHA256=861EFA7F4A00EA25BF73E79825BBFE3DA1E0C074C3A9DEFB9F697484398EFB0A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:46.866{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49356-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000076283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:48.890{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B3653B20ADA98B3AEF9D2C8BF7C326F,SHA256=F1F9E81A74ED6DAD8774AE7D4B143FE7B6E33D22CC2550E43C36804E4123A37A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:48.069{45AAC21C-FBEF-63D0-8C03-00000000BA02}49245184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000034126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:49.958{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13F0938E75B5C6DEDB9947AFFF4B31AD,SHA256=01B639D54740940770F5BE15DF900CB61A15047A06C627F6A63F294B6BCC9379,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:49.889{72106695-ED09-63D0-1C00-00000000BB02}1892NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\respondent-20230125084915-061MD5=4A845FE96E1CB901D2D7264E475C5D0A,SHA256=805658FE4E43678F2368D193C16F752D5AE58460E17C63B3F32526AFB5DF27A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:49.990{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FBF1-63D0-8D03-00000000BA02}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:49.990{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:49.990{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:49.990{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:49.990{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:49.990{45AAC21C-ED08-63D0-0500-00000000BA02}420788C:\Windows\system32\csrss.exe{45AAC21C-FBF1-63D0-8D03-00000000BA02}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000076286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:49.990{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FBF1-63D0-8D03-00000000BA02}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000076285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:49.991{45AAC21C-FBF1-63D0-8D03-00000000BA02}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000034124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:45.936{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50458-false10.0.1.12-8000- 23542300x800000000000000034128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:50.930{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB5A682DECA400B176A9EE92D8777ED2,SHA256=B6F2C5F2742CC22D31EA600C1A1DF1C0224A7CB7C885069E61BEBF2BD17E8ADC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:50.888{72106695-ED09-63D0-1C00-00000000BB02}1892NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\surveyor-20230125084913-062MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:50.592{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ilosieif.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:50.076{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FBF1-63D0-8D03-00000000BA02}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:50.076{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FBF1-63D0-8D03-00000000BA02}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:50.076{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FBF1-63D0-8D03-00000000BA02}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:50.076{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FBF1-63D0-8D03-00000000BA02}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000076293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:50.017{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=414896520B666ECDCE647C46CC7D72EB,SHA256=6290C2A6CAA1A4D840968A9D2548EA6D1C547D6E54C5B85C318DFA7244C65D60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:51.867{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ilosieif.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=2CB837BC3CD4E2A0329FB0E9411E6580,SHA256=283BC2E8963D70F727314477624A2BA207587C73F09DE399CF9E3F26D09FB3DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:51.090{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CC5B9B796B375E6A51C9565A5961E43,SHA256=D97BF853DAD5E300658E5A4EA423D02A3F7E7239C985C78E1FC4DDB3C908572A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:51.021{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8B4C049CBFF3484A00D9C00E7CE5330,SHA256=0473E56DF4119182CF00A68792DB536F9921993DEB766FE7D2ACB1BD4D60DD60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:52.141{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6232D52C124BACE6868928607DD9B529,SHA256=C55A6C4363FEE4EBBBEC94131A34A7B317338458F8B95D907E430CFE3CB977BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:51.999{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05F5F6603CF68828E55E33795717187D,SHA256=BBAAE39A657DEBA323D89C19389EDF9897EB926140A00A8B3FB2874DF150551B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:53.267{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF8D904A46C7BB1B193700E8D5B3BFDF,SHA256=2B82111AA43DADB0410E2FDADFF8F83498ED2EEB7A0D8B6EA842B4DB6E607AB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:53.070{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6204FEEA0BD0E24949FB21257E4F0D0E,SHA256=C126F95B6E01F9C502460FBAAB2561CDD5ED7251A13E6124166E25B9E169EC65,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:52.803{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49357-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000076304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:54.392{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F747EDEAFFAC5B1ACE937B3776C0DC6,SHA256=044D7A25FD27BDEA498BEA54E1558A377DB589A61D56546F8158D7B1523DA923,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:51.061{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50459-false10.0.1.12-8000- 23542300x800000000000000034131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:54.153{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A10A3B682A01D672E5BA353C3A267BFC,SHA256=859DD364F3E644AD4684BB78EA7B177A0183A7D32089E25B48DD55D7ED76F1BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:55.493{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56B9C6925408096A432C9ECFF74FC860,SHA256=248B9A262328711850C343F282BCF9E9FF9502BD04073CCC89E46B9FCD04C7DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:55.240{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A2FDCF9EB65B817C7A11AF98969F151,SHA256=8A3E55DDED9566BF247CAC343CF756C78CD4A337D2D6FAEB460D0D8D4250300D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:56.524{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FA5F5AFFEEFE7CFC0C8D3D0CCDF4A34,SHA256=6D52B476BEE46E3E36D6EFF4EB980208105CD413C9481516208933834AEA128D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:56.305{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1649DC7823C5EDF18C2D5F8798B6609B,SHA256=B11C49082F1B908E8A9BD091AA69387B963C23ED2D9A78A3F91E76210E844607,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:57.627{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFB7738D69015920FA4A3D4F48112299,SHA256=CF13CB45F9DE9A0AC76D1A667806458B16EA0062FCC4A0064BCF1738E100DBCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:57.638{72106695-ED09-63D0-2000-00000000BB02}2008NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=1E9257485492AA5094746746705217F1,SHA256=9B54EE6FE2F7822AF418C5B0AB541E6D745A55C50AE407D1926722A0D502200A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:57.393{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD9C84D0B814324590BB44A035842BE7,SHA256=99B62597F5DFA639C14FA5338270994DF99E6A5E4A6980D28539164DCE660942,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:58.749{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B74862B484D3CF382AFB13B5C54922C4,SHA256=608A3E697704AC2A71096D4FD53975073E9CFBC138F36AC2036DE165607C541D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:58.696{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BB6BE968C09C6E288BD7D5E41DCC853,SHA256=19931C1764B52D1E83E9C61B67678F076F3560A57AAA5B9E9543C126F79900DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:58.476{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A158B9346D7ABB9DE52639B80708CAB,SHA256=7445E502E4263E0D572589077CD0C77AC6A3B04CEF152AD697D75F1D8D5A6790,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:59.850{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=249A1DE5909306E1E8C878CB2BB9A39C,SHA256=B8C84EC707027A26A186D840F9B0CF5440EDEC596C8A9EF72A75EFDA0735DAEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:59.546{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB71B0022946CF02066595EC411D98D4,SHA256=69535D934CB33B30B8434D217FACBA66869DF173BBC24226BED77D73F335CBC5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:00.984{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1500-00000000BA02}1152C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000076323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:00.978{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1400-00000000BA02}344C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000076322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:00.970{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1300-00000000BA02}364C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000076321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:00.961{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1200-00000000BA02}408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000076320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:00.951{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1100-00000000BA02}704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000076319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:00.916{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1000-00000000BA02}444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 23542300x800000000000000076318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:00.900{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F398B888412B29A32C2ABDA323B9B123,SHA256=007B5131CD765A513DEBC1D54E96C1FB702BAB34229B959E38F8F6C7DFE75FA9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:00.898{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0F00-00000000BA02}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000076316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:00.884{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0E00-00000000BA02}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000076315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:00.872{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0D00-00000000BA02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000076314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:00.858{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0C00-00000000BA02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000034162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:00.998{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2600-00000000BB02}2596C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:00.997{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2500-00000000BB02}2436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:00.994{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2200-00000000BB02}1172C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:00.991{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:00.982{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:00.980{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1C00-00000000BB02}1892C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:00.979{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1A00-00000000BB02}1856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:00.973{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1800-00000000BB02}1732C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:00.971{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1700-00000000BB02}1240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:00.962{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1600-00000000BB02}1192C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:00.942{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1500-00000000BB02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:00.937{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1400-00000000BB02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:00.931{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1300-00000000BB02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:00.924{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1200-00000000BB02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:00.919{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1100-00000000BB02}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:00.915{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1000-00000000BB02}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:00.909{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0F00-00000000BB02}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:00.903{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0E00-00000000BB02}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:00.898{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0D00-00000000BB02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:00.892{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:00.886{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0B00-00000000BB02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:00.884{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0900-00000000BB02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 354300x800000000000000034140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:52:56.924{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50460-false10.0.1.12-8000- 23542300x800000000000000034139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:00.626{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A253D70649C2416506656A4762A8AFE,SHA256=D8CB68F9C720911AA65BA3686660EFEA257F92FE971E3B1BC5ADA9383BE593C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:00.806{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000076312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:00.803{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0900-00000000BA02}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 23542300x800000000000000076339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:01.929{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB4A404D5C378EBCFEE2B83E4F07D735,SHA256=F0C80069C873D870E0AA1AFFC7A728836863DE9756D2C6A7D25E79915407C54E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:01.502{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2E00-00000000BA02}2692C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000076337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:01.498{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000076336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:01.495{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2B00-00000000BA02}2664C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000076335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:01.060{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000076334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:01.054{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000076333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:01.046{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000076332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:01.026{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2700-00000000BA02}2576C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000076331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:01.025{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2600-00000000BA02}2568C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000076330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:01.015{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2500-00000000BA02}2484C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000076329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:01.012{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED14-63D0-2300-00000000BA02}2340C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000076328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:01.009{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1800-00000000BA02}1992C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000076327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:01.007{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1700-00000000BA02}1492C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 354300x800000000000000076326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:52:58.678{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49358-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000076325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:01.000{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1600-00000000BA02}1324C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000034169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:01.016{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FB5F-63D0-3102-00000000BB02}3068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:01.006{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED83-63D0-8200-00000000BB02}508C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:01.004{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED1B-63D0-6D00-00000000BB02}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:01.003{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:01.002{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-4000-00000000BB02}1980C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:01.000{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-3C00-00000000BB02}2964C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:00.999{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2B00-00000000BB02}2876C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x800000000000000034170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:02.025{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E4CFF9F395A99C2F8FF0D0697C6647B,SHA256=CD20154983303064C279E0F4E8F87042A110292DA0881DBB51C5ECEA84931193,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:03.550{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3300-00000000BA02}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000076342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:03.549{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3100-00000000BA02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000076341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:03.546{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2F00-00000000BA02}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 23542300x800000000000000076340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:03.032{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B90C511DAABCF408419F240CE3698281,SHA256=181EDEE551E8B25621696C6EB2C884274534A48AE52FE4DE6D6ABACDE59B0D05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:03.125{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8F11C72B55074B831CEC42E80CF0A34,SHA256=F554A951F3A642EB57518BD648E184D2874B5F845E2C48F96E6E91314CD21E56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:04.211{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD31EF40715589B81718ED9A2184EF6B,SHA256=C94BB96F15453A3F412FE1C700535F0E18B823EE51A2C7EAAC6BACA5D9B554DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:04.581{45AAC21C-ED18-63D0-2F00-00000000BA02}2700NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\respondent-20230125084931-061MD5=FB1204BD5E1FCB9F00F3D30191CDD410,SHA256=AD3DE377B45C073DC7811942D8C17D2EDF88FCE93F4C4FD49345F5808DA79585,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:04.494{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99E-63D0-4403-00000000BA02}4716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000076373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:04.490{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4303-00000000BA02}220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000076372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:04.486{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4203-00000000BA02}8108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000076371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:04.479{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99C-63D0-4103-00000000BA02}4940C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000076370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:04.464{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F998-63D0-3F03-00000000BA02}6856C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000076369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:04.460{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F993-63D0-3A03-00000000BA02}5848C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000076368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:04.450{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F990-63D0-3703-00000000BA02}5072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000076367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:04.441{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F990-63D0-3603-00000000BA02}7836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000076366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:04.424{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3403-00000000BA02}8152C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000076365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:04.416{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3303-00000000BA02}5868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000076364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:04.410{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3203-00000000BA02}1380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000076363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:04.400{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3103-00000000BA02}7700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000076362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:04.344{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000076361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:04.319{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000076360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:04.316{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A202-00000000BA02}5720C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000076359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:04.314{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A102-00000000BA02}7492C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000076358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:04.303{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F3FF-63D0-5202-00000000BA02}7716C:\Program Files\Process Hacker 2\ProcessHacker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000076357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:04.290{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED93-63D0-C200-00000000BA02}5684C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000076356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:04.249{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000076355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:04.229{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000076354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:04.180{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000076353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:04.156{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-8E00-00000000BA02}432C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000076352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:04.121{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4D-63D0-8900-00000000BA02}4888C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 23542300x800000000000000076351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:04.120{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2A2D2A9E03FF6530D886F74C3FCCBA8,SHA256=D4F35360E5363ADE0594E0986E0F7CC9143929D9BB413516390494FABEC7A573,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:04.112{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED36-63D0-8100-00000000BA02}4176C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000076349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:04.107{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED35-63D0-7F00-00000000BA02}3432C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000076348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:04.100{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED2C-63D0-7B00-00000000BA02}532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000076347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:04.094{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000076346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:04.092{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1B-63D0-4500-00000000BA02}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000076345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:04.081{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-4100-00000000BA02}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000076344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:04.076{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-3800-00000000BA02}3276C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 354300x800000000000000034174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:02.068{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50461-false10.0.1.12-8000- 23542300x800000000000000034173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:05.292{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAD57BA0F77BA8BD6C6E72A66C720DB3,SHA256=81CDA969C1456242E02185B918B9266AC0BC4F2B1BBD540C63ED1C5EFFCF15B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:05.577{45AAC21C-ED18-63D0-2F00-00000000BA02}2700NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\surveyor-20230125084929-062MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:05.349{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7658E18475FB4B6E967AA44B95EE3FFE,SHA256=BD184F91C98C9F57DF98230DDC7D38D1480FCD4DEE6A0C5CEE9EEDD5F58D8FC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:06.367{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0101C41F4AFC8D59098D0ADC6C9496E7,SHA256=6FC05F900F33E4038171F7509D5142D917A4AFA100C1262CE591CF0210925D89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:06.417{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA1E4FFC0FD0437BB22F5944E6109A32,SHA256=347004E83EEB9FE7970B41B174D27F5BE91D46687C6D1F50477FCC237D2C643E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:03.763{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49359-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000034176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:07.453{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA613A37F7A2D5BD9CE17F333F7C8BD9,SHA256=6AD0FA38CC1A8E75278CACC1EF1F1A697A71DAD9B040F63EC195E57A249DD797,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:07.532{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=857665799F7A34DA7D3850617FA6D91F,SHA256=42CCFBBA04F10EA1237EA699650DB6D1D5FBC11905AED72FF14611A89AB59A21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:08.540{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6284BCECC05A4919FB458EC992DF00BD,SHA256=2C12A283C1BE95D42B80B089F8883151310865A71F42894B61EB8BD23B5BC95B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:08.618{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9293F7FAEDBFDD4B740A6F2A11D0140B,SHA256=835C9A0A39A74D84AFBE8CFAB8569A2450504C2A65DD9F5E29D0B805E55E3460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:09.619{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D4159D1C774ED83F5DD76DAC18AF712,SHA256=61CED0AFC290237316B007438F27C5A166317C282682481EB9DADE9F99C1371E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:09.717{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC585E12C508A3EC5D2785B0C9993DD4,SHA256=ED150C28909BC590F31D194DA23C10B92ADB09AFE6597EC9BE566C3E70300C1F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:07.978{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50462-false10.0.1.12-8000- 23542300x800000000000000034179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:10.711{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A212D1E03B2CE57D8F3DCA2F2783CDD8,SHA256=6238184C97F9DCD448673FF49014CAA4E7AC733BBFA61D779D0A58A12564D2A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:10.813{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=510BF1EF58BAE643C72EC633F53E014E,SHA256=2B12AF3D605D2BFF0308FF19A37F2D765BAD0D026AF7B0DBE1A3DD27542C42E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:11.789{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6333A5D1B0803D484C634114D11C5C90,SHA256=628954FBF0007DAD2CEFF1997C191874B8DF2A3E7523147660F86538BFB4ADC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:11.855{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4A4E1E427DB50BA8FBE37DE1FCB65B3,SHA256=587E6CA60455B601EDB72C0A02539ABD98037AEC9B9256D7486B401BBCE38F92,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:08.868{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49360-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000034182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:12.883{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FB3C132CA8DAED0AC05A36691EF5534,SHA256=89C0D1E3F36818C096C76462F5B88EA5A893C2EF16F43E559F86A7C36751647A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:12.950{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B053AB429E3E9D70084798886A01B8E5,SHA256=DCE2BEA6BD904C675AF1C1C632698B009A1E467809F1ABF6A0DE5F636FF96747,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:13.950{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8283B8B11A8704D069A48B395B46687F,SHA256=F7E85541D0095E396E69E345534A1B24658711761B730795F4F0FAB493EAFEEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:14.611{72106695-ED08-63D0-1100-00000000BB02}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F5CB7E9E105DDFD900AF608E6A01833D,SHA256=18DA4741751FB2EE88BBDE4BFE7AA311EEF057BCB265BBC80FBAC6C1D31007DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:14.140{45AAC21C-ED18-63D0-2C00-00000000BA02}2672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=BBAC05104C90E81F6EDBF53366121186,SHA256=373E272DC2A69743B5941F1FA8991057F20117D184EFB6353AC08E3135B9327C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:14.076{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BA32D0FF783D3A6080B5A4EC6DFF7F4,SHA256=B04EEF87F1C713B180EB6EC9D588A6E42C3979B2ED5A243C1DD97F8F18F62B49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:15.049{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FD1FE79F7FB3E7D049D95E83DCAAB8E,SHA256=21AC2AB98CD160A4CDB10A02EF0791D6F2268A2B8784705F625AECD2237A7F77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:15.860{45AAC21C-ED0A-63D0-1100-00000000BA02}704NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=A220A8991B5426D391D098015CA72E32,SHA256=29BC326E6B4F3EC194F39B7EF745122BD4367FFA1FCE538EEE103399BFB130A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:15.201{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DB99F7C5AF21A587883E577428155CB,SHA256=331B4DC9575815EAD99A02AB9B91A08AB7C608A85EC9B7691DBC20717CA2BE82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:16.132{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2DFBBDED43F125CCA364269BFD88BB2,SHA256=F4FD8EC67D66F266FE4BE0B617B2FD9200CDE0157556295E428EB16ECEBA3EC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:16.332{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CEAF77AED2B93F467CC254AFFB46278,SHA256=68E6BC26C07ABE72FAAD5534CF85D139247D2651B1E3DE19B818C3FABF2E6881,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:17.432{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EAEFAC0916D3925EE18F9A511DB14FB,SHA256=766471F36FA084D77FCB0EAB0991051BCC302CD26A6ED371509A9CCBCACF3681,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:17.220{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43547DA82991F80DA187727B257301D5,SHA256=F18E5D1D479991CDFECDCC0B4CE1E225AAF532391529AF3620A1923B5FE35ECB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:13.945{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50463-false10.0.1.12-8000- 354300x800000000000000076392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:14.789{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49361-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000076395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:18.501{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62E68879698C43E04DE45EF619E35E62,SHA256=7E121EF6BD971A1B3CB1FF79316EF4A51FE2892C78431A43BD55ACD6942BD26F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:18.297{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9448E9BBFEF96CDBF469FE5D989FEE0E,SHA256=47A5A2DA7674C447833661D0CDFB70F99B72A74811825C85CAFC22D64759A6DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:18.333{45AAC21C-ED18-63D0-2C00-00000000BA02}2672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:19.552{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3FA724A3CCCF546EFAB63ABE96BA0BC,SHA256=2FE34A9BACEA06ECC605DCC93277AEAF1178DCE6A125B5A2AB2A05D46A60CFD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:19.381{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AC1FB86D7F744675E330B73E02D58D9,SHA256=94426F6239EF884B3153F3A500FF36D1032E14A64C2088DFFFC50A0B86F5D551,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:20.988{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1500-00000000BA02}1152C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000076409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:20.980{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1400-00000000BA02}344C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000076408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:20.974{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1300-00000000BA02}364C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000076407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:20.964{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1200-00000000BA02}408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000076406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:20.955{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1100-00000000BA02}704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000076405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:20.921{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1000-00000000BA02}444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000076404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:20.909{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0F00-00000000BA02}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000076403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:20.903{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0E00-00000000BA02}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000076402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:20.886{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0D00-00000000BA02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000076401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:20.869{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0C00-00000000BA02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000076400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:20.823{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000076399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:20.820{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0900-00000000BA02}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 23542300x800000000000000076398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:20.582{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1605B048B862D212088BA44C1EAF7300,SHA256=F7CBBC6795DB8CAF030C3F5AE0C3A817DACE504350D3DF5ECAABBED9ED1EBE0D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:20.999{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2600-00000000BB02}2596C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000034212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:20.997{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2500-00000000BB02}2436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000034211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:20.995{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2200-00000000BB02}1172C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000034210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:20.992{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000034209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:20.983{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000034208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:20.982{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1C00-00000000BB02}1892C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000034207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:20.980{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1A00-00000000BB02}1856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000034206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:20.974{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1800-00000000BB02}1732C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000034205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:20.972{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1700-00000000BB02}1240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000034204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:20.961{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1600-00000000BB02}1192C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000034203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:20.943{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1500-00000000BB02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000034202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:20.938{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1400-00000000BB02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000034201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:20.930{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1300-00000000BB02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000034200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:20.924{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1200-00000000BB02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000034199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:20.917{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1100-00000000BB02}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000034198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:20.912{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1000-00000000BB02}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000034197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:20.907{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0F00-00000000BB02}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000034196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:20.902{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0E00-00000000BB02}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000034195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:20.900{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0D00-00000000BB02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000034194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:20.893{72106695-ED09-63D0-1F00-00000000BB02}20002852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x800000000000000034193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:20.891{72106695-ED09-63D0-1F00-00000000BB02}20002852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0B00-00000000BB02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x800000000000000034192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:20.889{72106695-ED09-63D0-1F00-00000000BB02}20002852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0900-00000000BB02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 23542300x800000000000000034191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:20.481{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA84AB59176A0CA9AF29AC818E84AE8F,SHA256=716E89596FFC4395B0F1CB67CD76398396EF05EDBBE1EE20F840689DCCB25D2E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:17.953{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49362-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000034221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:21.646{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=746DC993C137F7AFA5B7E1BF4B579FA0,SHA256=B81DE48797A6F632D18B6CB32F97CA7B436D8E92C3BC1C3241B377615D7FEA2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:21.622{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD9889AD599A3E162F8683C175D72D79,SHA256=86BC0B8F622A438AF12ADE06A37F5014BF406C863B0F7467731D29F05E578F05,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:21.503{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2E00-00000000BA02}2692C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000076422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:21.498{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000076421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:21.494{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2B00-00000000BA02}2664C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000076420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:21.059{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000076419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:21.054{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000076418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:21.043{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000076417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:21.025{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2700-00000000BA02}2576C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000076416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:21.023{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2600-00000000BA02}2568C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000076415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:21.015{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2500-00000000BA02}2484C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000076414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:21.012{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED14-63D0-2300-00000000BA02}2340C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000076413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:21.010{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1800-00000000BA02}1992C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000076412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:21.008{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1700-00000000BA02}1492C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000076411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:21.001{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1600-00000000BA02}1324C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000034220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:21.011{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FB5F-63D0-3102-00000000BB02}3068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000034219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:21.009{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED83-63D0-8200-00000000BB02}508C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000034218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:21.008{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED1B-63D0-6D00-00000000BB02}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000034217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:21.006{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000034216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:21.005{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-4000-00000000BB02}1980C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000034215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:21.001{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-3C00-00000000BB02}2964C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000034214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:21.000{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2B00-00000000BB02}2876C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 23542300x800000000000000034223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:22.739{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B1033D0DF0915FFB90FB5E731241AD6,SHA256=A1B118C641755B43FAD26C24F8FAB8F9D0E4CE619B45B71BB9468488895F96EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:22.640{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65F089A82638AF159E6EEFA91DE5A788,SHA256=21C6C414E7EE02592211C828BA85DBFC1B998F140683B2A2AD91161310897273,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:19.079{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50464-false10.0.1.12-8000- 354300x800000000000000076425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:20.677{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49363-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000076430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:23.704{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=549EE1424C857FFA025BD44F745E7E31,SHA256=BBDE37A8B92CB767733D706C582A2A76DCC5FDB91169CE8B43238F1B9B041FF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:23.806{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C15DCCAE2FD0EC7776F7F6C791EFD0F,SHA256=98BFD5CECCD4A5F6D56E189FA95B5D59F3D87D50695DC52A8147E0D09231F9E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:23.229{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED08-63D0-0B00-00000000BB02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:23.229{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED08-63D0-0B00-00000000BB02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:23.229{72106695-ED08-63D0-0B00-00000000BB02}6243468C:\Windows\system32\lsass.exe{72106695-ED08-63D0-1500-00000000BB02}108C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:23.218{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1F00-00000000BB02}2000C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:23.531{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3300-00000000BA02}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000076428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:23.530{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3100-00000000BA02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000076427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:23.526{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2F00-00000000BA02}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 23542300x800000000000000034229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:24.877{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95F39711B4CD83D0614F17D07F6BF0D6,SHA256=C2CF9695ED58EEB62BE4964477F1D668406694E686CF91EE5A159279CFC7D2E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:24.310{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99E-63D0-4403-00000000BA02}4716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000076459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:24.307{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4303-00000000BA02}220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000076458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:24.304{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4203-00000000BA02}8108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000076457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:24.300{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99C-63D0-4103-00000000BA02}4940C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000076456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:24.296{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F998-63D0-3F03-00000000BA02}6856C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000076455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:24.294{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F993-63D0-3A03-00000000BA02}5848C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000076454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:24.289{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F990-63D0-3703-00000000BA02}5072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000076453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:24.285{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F990-63D0-3603-00000000BA02}7836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000076452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:24.281{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3403-00000000BA02}8152C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000076451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:24.276{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3303-00000000BA02}5868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000076450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:24.273{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3203-00000000BA02}1380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000076449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:24.259{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3103-00000000BA02}7700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000076448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:24.222{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000076447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:24.193{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000076446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:24.191{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A202-00000000BA02}5720C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000076445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:24.188{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A102-00000000BA02}7492C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000076444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:24.173{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F3FF-63D0-5202-00000000BA02}7716C:\Program Files\Process Hacker 2\ProcessHacker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000076443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:24.168{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED93-63D0-C200-00000000BA02}5684C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000076442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:24.139{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000076441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:24.118{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000076440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:24.089{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000076439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:24.081{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-8E00-00000000BA02}432C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000076438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:24.067{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4D-63D0-8900-00000000BA02}4888C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000076437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:24.060{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED36-63D0-8100-00000000BA02}4176C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000076436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:24.058{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED35-63D0-7F00-00000000BA02}3432C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000076435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:24.054{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED2C-63D0-7B00-00000000BA02}532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000076434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:24.050{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000076433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:24.048{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1B-63D0-4500-00000000BA02}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000076432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:24.045{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-4100-00000000BA02}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000076431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:24.044{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-3800-00000000BA02}3276C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 23542300x800000000000000076461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:25.170{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=425E0906F060668DCF86D2ADB03CAD0B,SHA256=2D0884BE483485077B26B27B8EBD120C9441BA45A4A0720DD156084A56CD2F9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:26.215{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49D930492250395F290FF353F461A115,SHA256=4B1BBA1E2EE1FADECE2D27D89E30871CF6346494DE3468562374CDADA90D259F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:26.915{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=319DA8C63E7F15DA56E3061446A0CA1A,SHA256=B1D0D7C93916E93F0DB3E65B1A2F3BC360B27A36DEBC5E53405B14B3BF7706BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:26.568{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FC16-63D0-4702-00000000BB02}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:26.568{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:26.568{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:26.568{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:26.568{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:26.568{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:26.568{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:26.568{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:26.568{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:26.568{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:26.568{72106695-ED07-63D0-0500-00000000BB02}408524C:\Windows\system32\csrss.exe{72106695-FC16-63D0-4702-00000000BB02}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:26.568{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FC16-63D0-4702-00000000BB02}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:26.569{72106695-FC16-63D0-4702-00000000BB02}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:26.105{72106695-ED09-63D0-2000-00000000BB02}2008NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:26.058{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D65F1B094BFC34FC3EC79EC35CD196A4,SHA256=B1964D4AD2A79F6A512E1D66B68A08AD43A869F9E8C68DE5625D4B7E8E77C4F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:25.798{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49364-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 13241300x800000000000000076464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-25 09:53:27.349{45AAC21C-ED0A-63D0-1200-00000000BA02}408C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d930a2-0xdf4f54a8) 23542300x800000000000000076463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:27.249{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7A38496E77ED3B3B553FB5445473DA4,SHA256=263FB21B9879A77189B1173588F1D08C238C0E7D89A385A812A11C13ADD38D9F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:27.867{72106695-ED09-63D0-1F00-00000000BB02}20002816C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FC17-63D0-4902-00000000BB02}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D383D0) 10341000x800000000000000034282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:27.867{72106695-ED09-63D0-1F00-00000000BB02}20002816C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FC17-63D0-4902-00000000BB02}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D383D0) 10341000x800000000000000034281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:27.867{72106695-ED09-63D0-1F00-00000000BB02}20002816C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FC17-63D0-4902-00000000BB02}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D383D0) 10341000x800000000000000034280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:27.866{72106695-ED09-63D0-1F00-00000000BB02}20002816C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FC17-63D0-4902-00000000BB02}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D383D0) 10341000x800000000000000034279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:27.866{72106695-ED09-63D0-1F00-00000000BB02}20002816C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FC17-63D0-4902-00000000BB02}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D383D0) 10341000x800000000000000034278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:27.866{72106695-ED09-63D0-1F00-00000000BB02}20002816C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FC17-63D0-4902-00000000BB02}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D383D0) 23542300x800000000000000034277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:27.839{72106695-ED09-63D0-2000-00000000BB02}2008NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=86E2F97C64CE2C69D687D70B7883E413,SHA256=9715DF1151029CA330DAF34A1022258CFB6DF1E1231850F8BE286F9060078198,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:27.800{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FC17-63D0-4902-00000000BB02}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:27.800{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:27.800{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:27.800{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:27.800{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:27.800{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:27.800{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:27.800{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:27.800{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:27.800{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:27.800{72106695-ED07-63D0-0500-00000000BB02}4082644C:\Windows\system32\csrss.exe{72106695-FC17-63D0-4902-00000000BB02}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:27.800{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FC17-63D0-4902-00000000BB02}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:27.801{72106695-FC17-63D0-4902-00000000BB02}640C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:27.690{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E35F087ED324D7112BA616C96F666F97,SHA256=75D2361C127B95F2DEE67FF9DDE0D3EDA1793EC2F5EA8A69FEBACA19B4446261,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:24.986{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50466-false10.0.1.12-8089- 354300x800000000000000034261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:24.939{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50465-false10.0.1.12-8000- 10341000x800000000000000034260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:27.322{72106695-FC17-63D0-4802-00000000BB02}35923464C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:27.181{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FC17-63D0-4802-00000000BB02}3592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:27.181{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:27.181{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:27.181{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:27.181{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:27.181{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:27.181{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:27.181{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:27.181{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:27.181{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:27.181{72106695-ED07-63D0-0500-00000000BB02}4081028C:\Windows\system32\csrss.exe{72106695-FC17-63D0-4802-00000000BB02}3592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:27.181{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FC17-63D0-4802-00000000BB02}3592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:27.183{72106695-FC17-63D0-4802-00000000BB02}3592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:27.134{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48517FA6A72B6B43E468B116F6852142,SHA256=7B7DA8D8115F9B8B2C9B8A706BE2859825FADF3D3A038F1CECEC6A5BB78442A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:28.321{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A48F617E49576897B5F620964739E656,SHA256=D23DBB33AABE6F59DFA5F9A3BFDE31A591B68D1D4FE5264A8710B480BCC6EC65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:28.306{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36A929AC5B44CD08AD90E6B0BBF22010,SHA256=782B00DFEB05A83791EBE63D57C59147F74AFCD5FD3F317D695B77E379F431C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:29.372{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DC37C68194C48546D965576E17E0526,SHA256=1F4B9BE1E064A50F5F65611EC5F1427CDBDB2447099A520647D25CA9130CA1A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:29.418{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E085F0D4C1DD4125A056086605C0B721,SHA256=5EA76BF1CA02505BF94704D62D5740E9C070A1D4C2373E31AF4CDD0909EE6C40,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:29.356{72106695-FC19-63D0-4A02-00000000BB02}952964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:29.215{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FC19-63D0-4A02-00000000BB02}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:29.215{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:29.215{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:29.215{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:29.215{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:29.215{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:29.215{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:29.215{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:29.215{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:29.215{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:29.215{72106695-ED07-63D0-0500-00000000BB02}408524C:\Windows\system32\csrss.exe{72106695-FC19-63D0-4A02-00000000BB02}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:29.215{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FC19-63D0-4A02-00000000BB02}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:29.216{72106695-FC19-63D0-4A02-00000000BB02}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000076468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:30.500{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBAEE62441DBCA8E9BEE1FBE88A3EDF7,SHA256=C6E610C6ABC5D11B46A5820A26729979E217889263DB8C3BEEC8786926563B1C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:30.505{72106695-FC1A-63D0-4B02-00000000BB02}29201184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000034313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:30.402{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DC99F826E1709D10AD978B5980F551A,SHA256=D8CED4248C526A99BDDC196CC1523EBEEAF98C2726264C40B3F7F31F60561655,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:30.370{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FC1A-63D0-4B02-00000000BB02}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:30.370{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:30.370{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:30.370{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:30.370{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:30.370{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:30.370{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:30.370{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:30.370{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:30.370{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:30.370{72106695-ED07-63D0-0500-00000000BB02}408424C:\Windows\system32\csrss.exe{72106695-FC1A-63D0-4B02-00000000BB02}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:30.370{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FC1A-63D0-4B02-00000000BB02}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:30.371{72106695-FC1A-63D0-4B02-00000000BB02}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000076469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:31.558{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=267EB4C6E6EEE8F652E3F4E5E12D18B6,SHA256=48914667DCB31C896EE66B1142AFFEBA6145CA7B3DDE77F2C12471A2E0505357,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:31.499{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C01EF1610089DEFE5F2B4CB07A854B59,SHA256=DEAD0EF26D8A6DCC2989B3DE667E783E70258E6359F20E6AC6355FB1283F4168,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:31.224{72106695-FC1B-63D0-4C02-00000000BB02}31803112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:31.136{72106695-ED09-63D0-1F00-00000000BB02}20002816C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FC1B-63D0-4C02-00000000BB02}3180C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D383D0) 10341000x800000000000000034332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:31.135{72106695-ED09-63D0-1F00-00000000BB02}20002816C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FC1B-63D0-4C02-00000000BB02}3180C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D383D0) 10341000x800000000000000034331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:31.135{72106695-ED09-63D0-1F00-00000000BB02}20002816C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FC1B-63D0-4C02-00000000BB02}3180C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D383D0) 10341000x800000000000000034330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:31.135{72106695-ED09-63D0-1F00-00000000BB02}20002816C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FC1B-63D0-4C02-00000000BB02}3180C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D383D0) 10341000x800000000000000034329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:31.135{72106695-ED09-63D0-1F00-00000000BB02}20002816C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FC1B-63D0-4C02-00000000BB02}3180C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D383D0) 10341000x800000000000000034328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:31.135{72106695-ED09-63D0-1F00-00000000BB02}20002816C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FC1B-63D0-4C02-00000000BB02}3180C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D383D0) 10341000x800000000000000034327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:31.042{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FC1B-63D0-4C02-00000000BB02}3180C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:31.042{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:31.042{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:31.042{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:31.042{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:31.042{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:31.042{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:31.042{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:31.042{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:31.042{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:31.042{72106695-ED07-63D0-0500-00000000BB02}408424C:\Windows\system32\csrss.exe{72106695-FC1B-63D0-4C02-00000000BB02}3180C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:31.042{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FC1B-63D0-4C02-00000000BB02}3180C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:31.043{72106695-FC1B-63D0-4C02-00000000BB02}3180C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000076470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:32.628{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46D22B8DA4926BCB9341F1C724FD2FA1,SHA256=FC48980758767CF78A70EE5D20D9198A3769BC3F9F5070A3DB231A8CB501EC92,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:32.825{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FC1C-63D0-4D02-00000000BB02}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:32.825{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:32.825{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:32.825{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:32.825{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:32.825{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:32.825{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:32.825{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:32.825{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:32.825{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:32.825{72106695-ED07-63D0-0500-00000000BB02}408524C:\Windows\system32\csrss.exe{72106695-FC1C-63D0-4D02-00000000BB02}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:32.825{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FC1C-63D0-4D02-00000000BB02}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:32.826{72106695-FC1C-63D0-4D02-00000000BB02}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:32.565{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23A71F7B978162CA8691C98CF09AC552,SHA256=87579B19868A4954AAC41C04AD8316EA58220725C679369703A0842C5439B41B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:33.647{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4305ABFD9A0B8A5ADE9C37251DCA00E3,SHA256=028962342C9464A4887AC9B2357A7F2260211F330FC1A238ADF456C2E1C11111,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:33.965{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92093596AEBC4A8D2BEC5B9C2707CAD1,SHA256=18D52EBDD552836135544D6DDC83A4F71BFA23D439CA7BBA72AE2E78CECC6565,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:30.104{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50467-false10.0.1.12-8000- 23542300x800000000000000034350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:33.643{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE5E124847E0DAA000280481A38FC3D8,SHA256=61136FE323D180A1200E7AF38EA2B71C2615ED26118E79A427B0DA2F6447C66C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:34.742{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E8A0A464A9D5D8CAB9FA169D0D9B267,SHA256=50285766F7FCC02E3D5BA25DE59488B92DF0234B07339BEC2FA74D3B5AE981DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:34.683{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF6D5A28CB8DB0E83ED92D381A888DEB,SHA256=06D0D50A6AA9CC6D4C574C6BA76051D3974A26133595FD0C5D961E4F1B991F00,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:31.764{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49365-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000034354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:35.827{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=744A13182054B655C416B094F354D4ED,SHA256=636052CA43407D7F18006608B19D5347450D8C61BC4B9348D507D7209D49E162,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:35.748{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D773760D326F21FFEA344995EDA7EE68,SHA256=6BD65843E5DA1D7C904172AE1FFA073A2FAFF4B9CAC9B75C73F1F76A8BCE1261,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:36.907{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59605C18058C0B3961C2CCCB8A3B579A,SHA256=5EEA97C7AFC7E40C84ECE35D83F47FAA027C565DD0237FD1EE9C3E8BDE8A78F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:36.770{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F40166010E9DAA04C8E48B479A5E993,SHA256=1F8E4EA3E3EBDF15321963C7E6BD0E30909B23E7E911DDA5174DE190BF53CE67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:37.818{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48EE77CCD35FBAD7F7A1D2CD280B239F,SHA256=C2F1010774ACB554B2B2F21B8CAA527FF4A320196AD77C824BA0951FDD64DC02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:38.859{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=227F968D4FA334A6F23B638BF315112E,SHA256=D83D053FC42254C13C7A165F4280990A8AC7A62241BF418C41A4EAF5029AE587,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:36.037{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50468-false10.0.1.12-8000- 23542300x800000000000000034356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:37.999{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A15C8F3781C7DBF199438A5B32CDB1F,SHA256=119B99802F84A8C33BEEDC7CBBD96AF7EB59469AD7AF55D95EA79EB1F5F9C74F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:39.923{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A0723214E2A016C24AFC11E6175F6AE,SHA256=4052C400F0B36D340682839C9F28007A838B15C127216D124AA8781A01DB002B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:37.710{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49366-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000076478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:39.205{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ilosieif.default-release\datareporting\aborted-session-pingMD5=8A4944271BA21B1A71217110B7223417,SHA256=3C173D4BA1C2474B2B41889A39EDE780B2B007432BC15878DB0C20C3D525A0A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:39.065{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4948F99EE93AA668C5687FD072C22F1,SHA256=F20FDDB22457A43294FDCC215E61A019BAB5BD636740F7BBF12E9BDA7600ABC7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:40.993{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1100-00000000BA02}704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:40.943{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1000-00000000BA02}444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:40.929{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0F00-00000000BA02}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:40.913{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0E00-00000000BA02}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:40.901{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0D00-00000000BA02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:40.886{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0C00-00000000BA02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:40.824{45AAC21C-ED5C-63D0-A400-00000000BA02}53206496C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019FECA90) 10341000x800000000000000076481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:40.818{45AAC21C-ED5C-63D0-A400-00000000BA02}53206496C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0900-00000000BA02}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019FECA90) 10341000x800000000000000034377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:40.993{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000034376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:40.991{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1C00-00000000BB02}1892C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000034375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:40.988{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1A00-00000000BB02}1856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000034374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:40.982{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1800-00000000BB02}1732C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000034373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:40.980{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1700-00000000BB02}1240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000034372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:40.965{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1600-00000000BB02}1192C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000034371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:40.946{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1500-00000000BB02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000034370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:40.940{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1400-00000000BB02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000034369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:40.935{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1300-00000000BB02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000034368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:40.929{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1200-00000000BB02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000034367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:40.923{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1100-00000000BB02}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000034366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:40.915{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1000-00000000BB02}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000034365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:40.910{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0F00-00000000BB02}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000034364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:40.904{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0E00-00000000BB02}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000034363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:40.898{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0D00-00000000BB02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000034362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:40.892{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000034361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:40.885{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0B00-00000000BB02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000034360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:40.882{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0900-00000000BB02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 23542300x800000000000000034359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:40.151{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0247F62A35774954D58E1FE049E9A0F,SHA256=D3029F68E4790D1A01F45A297398B713D6AB335C438B370EC5925BBE092071CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:41.795{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2E00-00000000BA02}2692C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:41.789{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:41.784{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2B00-00000000BA02}2664C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:41.154{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:41.143{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:41.136{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:41.107{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2700-00000000BA02}2576C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:41.105{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2600-00000000BA02}2568C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:41.099{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2500-00000000BA02}2484C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:41.095{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED14-63D0-2300-00000000BA02}2340C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:41.087{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1800-00000000BA02}1992C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:41.085{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1700-00000000BA02}1492C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:41.074{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1600-00000000BA02}1324C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:41.052{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1500-00000000BA02}1152C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:41.043{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1400-00000000BA02}344C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:41.027{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1300-00000000BA02}364C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:41.010{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1200-00000000BA02}408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 23542300x800000000000000076489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:41.002{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB571BDFDC6D14436057FFFDC404D399,SHA256=37E553F9DC49C0E55EE5DC91328A59067BE577DD4639677498204EC695F7C6A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:41.265{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10BDFA75C275A6B7B55A366232021A5E,SHA256=77848C6D5EC6579D259DD600FB2126F39FDF15B3EAC302BCD842224F770BBDFB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:41.020{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FB5F-63D0-3102-00000000BB02}3068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000034387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:41.017{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED83-63D0-8200-00000000BB02}508C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000034386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:41.015{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED1B-63D0-6D00-00000000BB02}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000034385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:41.013{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000034384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:41.013{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-4000-00000000BB02}1980C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000034383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:41.009{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-3C00-00000000BB02}2964C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000034382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:41.009{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2B00-00000000BB02}2876C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000034381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:41.008{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2600-00000000BB02}2596C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000034380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:41.006{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2500-00000000BB02}2436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000034379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:41.004{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2200-00000000BB02}1172C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000034378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:41.001{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000076515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:42.894{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FC26-63D0-8E03-00000000BA02}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:42.894{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:42.894{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:42.894{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:42.894{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:42.894{45AAC21C-ED08-63D0-0500-00000000BA02}420436C:\Windows\system32\csrss.exe{45AAC21C-FC26-63D0-8E03-00000000BA02}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000076509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:42.894{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FC26-63D0-8E03-00000000BA02}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000076508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:42.894{45AAC21C-FC26-63D0-8E03-00000000BA02}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000076507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:42.033{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBF76AA7654D1692574E90967BF33F31,SHA256=7758F3F0D0FBED797497DF3DAC51CA9B5DE116B13B25BDC1B56B75549585C002,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:42.317{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D2F7999D56505F4AC3F103053A67377,SHA256=282A24F0A1740B6D0EF16189FD4A10C73126F66070A807E2F5E211096542C7EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:43.398{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC34BED8CE6988A72CCB225D6AD6E6FA,SHA256=7AE223952FB6D998D3C91AB17FC204114B89FDBF3C84634143B451258C58EFEE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:43.858{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3300-00000000BA02}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:43.854{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3100-00000000BA02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:43.853{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2F00-00000000BA02}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:43.768{45AAC21C-FC27-63D0-8F03-00000000BA02}73687980C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:43.599{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED5C-63D0-A400-00000000BA02}5320C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:43.582{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FC27-63D0-8F03-00000000BA02}7368C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000076533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:43.582{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FC27-63D0-8F03-00000000BA02}7368C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000076532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:43.582{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FC27-63D0-8F03-00000000BA02}7368C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000076531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:43.581{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FC27-63D0-8F03-00000000BA02}7368C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000076530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:43.581{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FC27-63D0-8F03-00000000BA02}7368C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000076529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:43.581{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FC27-63D0-8F03-00000000BA02}7368C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000076528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:43.513{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FC27-63D0-8F03-00000000BA02}7368C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:43.512{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:43.512{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:43.511{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:43.511{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:43.510{45AAC21C-ED08-63D0-0500-00000000BA02}420788C:\Windows\system32\csrss.exe{45AAC21C-FC27-63D0-8F03-00000000BA02}7368C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000076522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:43.510{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FC27-63D0-8F03-00000000BA02}7368C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000076521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:43.510{45AAC21C-FC27-63D0-8F03-00000000BA02}7368C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000076520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:43.112{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FD3CDD0A3C21FF96143DA32FC40DB7C,SHA256=9A04C23F5946B7A104B309AFFB35A149607C101F3F44B45EE1E2FAF8B0D0C432,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:43.067{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FC26-63D0-8E03-00000000BA02}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:43.067{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FC26-63D0-8E03-00000000BA02}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:43.067{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FC26-63D0-8E03-00000000BA02}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:43.067{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FC26-63D0-8E03-00000000BA02}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000034392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:44.493{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F16030989B1F8FDF5292CD56B3B97E9,SHA256=70D7CDDE2ABEB455005C147D41DA14AE0953C6E228F8729DB236D5574855F0E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:44.749{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99E-63D0-4403-00000000BA02}4716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:44.744{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4303-00000000BA02}220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:44.737{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4203-00000000BA02}8108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:44.730{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99C-63D0-4103-00000000BA02}4940C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:44.723{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F998-63D0-3F03-00000000BA02}6856C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:44.712{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F993-63D0-3A03-00000000BA02}5848C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:44.696{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F990-63D0-3703-00000000BA02}5072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:44.691{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F990-63D0-3603-00000000BA02}7836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:44.687{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3403-00000000BA02}8152C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:44.683{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3303-00000000BA02}5868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:44.676{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3203-00000000BA02}1380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:44.659{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3103-00000000BA02}7700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:44.601{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:44.551{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 354300x800000000000000076572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:42.805{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49367-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000076571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:44.548{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A202-00000000BA02}5720C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:44.540{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A102-00000000BA02}7492C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 23542300x800000000000000076569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:44.538{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=DDD6FBD815160BBCC5D0F915CE90822A,SHA256=540EF4B378BB1EE6B468DD9FF93BFB7EC4862B4F9F72DF28D48ADA5B42090E49,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:44.532{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F3FF-63D0-5202-00000000BA02}7716C:\Program Files\Process Hacker 2\ProcessHacker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:44.524{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED93-63D0-C200-00000000BA02}5684C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:44.477{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:44.463{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:44.418{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:44.410{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-8E00-00000000BA02}432C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:44.398{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4D-63D0-8900-00000000BA02}4888C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:44.392{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED36-63D0-8100-00000000BA02}4176C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:44.389{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED35-63D0-7F00-00000000BA02}3432C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:44.386{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED2C-63D0-7B00-00000000BA02}532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 23542300x800000000000000076558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:44.383{45AAC21C-ED18-63D0-2C00-00000000BA02}2672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=5B04C85000FBDDD14B602F9F09D85093,SHA256=C8B6393821366A7F66289F6D3B50B8E37809D30E0724EBB87E8FB4DD0738759A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:44.383{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:44.381{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1B-63D0-4500-00000000BA02}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:44.377{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-4100-00000000BA02}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:44.375{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-3800-00000000BA02}3276C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 23542300x800000000000000076553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:44.153{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=231622FB043C6E59E5E42CEF18593DC6,SHA256=C6EA2D7B4CBDB43126912326E030ACCEE9371F20924E243CE3EA2D4B186CE58B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:44.069{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FC28-63D0-9003-00000000BA02}7328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:44.069{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FC28-63D0-9003-00000000BA02}7328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:44.069{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FC28-63D0-9003-00000000BA02}7328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:44.069{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FC28-63D0-9003-00000000BA02}7328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:44.069{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FC28-63D0-9003-00000000BA02}7328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:44.069{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:44.069{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:44.069{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:44.069{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:44.069{45AAC21C-ED08-63D0-0500-00000000BA02}420536C:\Windows\system32\csrss.exe{45AAC21C-FC28-63D0-9003-00000000BA02}7328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000076542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:44.069{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FC28-63D0-9003-00000000BA02}7328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000076541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:44.070{45AAC21C-FC28-63D0-9003-00000000BA02}7328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000076540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:44.029{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=408126EA666B218FD1C8FBDC9DB997AE,SHA256=54899DE846F5D0E28A386F6117127674F6CA795C224EA7CC04B8152FF238C56F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:45.570{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91CC4794398CEEDCD408DFFC6D9876CC,SHA256=E5B2CA36A73088C1CFBD8158EE0D69C55ACF0F9576F91497D43CFE046645D27C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:43.636{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local49368-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x800000000000000076588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:43.636{45AAC21C-ED18-63D0-2700-00000000BA02}2576C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local49368-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 23542300x800000000000000076587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:45.131{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E1567F220642016292C883A21790AEC,SHA256=9EEAE5FB628A54600076DB60B13493819243BFB257F985AEB2CA65CB630F88D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:41.955{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50469-false10.0.1.12-8000- 23542300x800000000000000034395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:46.653{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C02226C70CC9328BA5C92C3BAAEB19BE,SHA256=A29BC7166B4D99F58CA52A7D9CE6D5D7A7862C5945F19462435D3869D98E5314,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:46.441{45AAC21C-FC2A-63D0-9103-00000000BA02}56487844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:46.208{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FC2A-63D0-9103-00000000BA02}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:46.205{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:46.205{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:46.205{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:46.205{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:46.205{45AAC21C-ED08-63D0-0500-00000000BA02}420436C:\Windows\system32\csrss.exe{45AAC21C-FC2A-63D0-9103-00000000BA02}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000076592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:46.204{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FC2A-63D0-9103-00000000BA02}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000076591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:46.204{45AAC21C-FC2A-63D0-9103-00000000BA02}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000076590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:46.187{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3175AE8D1DD342BC02E7816E36E06C3,SHA256=51BDDFA8C099690BFA9CEBB6E211759266D75A5E24F8BE7CC173BCF3B1E5B944,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:47.740{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F828E2A6810F40AA6D69C9546001D672,SHA256=B73B6EBCC6F9A07AD8210259A0D03E53A218377CC9433210D48FDC9563BCD748,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:47.910{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FC2B-63D0-9303-00000000BA02}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:47.908{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:47.908{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:47.908{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:47.908{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:47.908{45AAC21C-ED08-63D0-0500-00000000BA02}420788C:\Windows\system32\csrss.exe{45AAC21C-FC2B-63D0-9303-00000000BA02}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000076611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:47.907{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FC2B-63D0-9303-00000000BA02}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000076610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:47.907{45AAC21C-FC2B-63D0-9303-00000000BA02}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000076609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:47.459{45AAC21C-FC2B-63D0-9203-00000000BA02}50887228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000076608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:47.234{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28CC66FBFE8997DDE7AE77008B076E34,SHA256=DDFDFFF0B5D4804834C8DDCA9A2017EA9D4987B264156F712BEB906ABA9A9610,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:47.234{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FC2B-63D0-9203-00000000BA02}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:47.234{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:47.234{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:47.234{45AAC21C-ED08-63D0-0500-00000000BA02}420536C:\Windows\system32\csrss.exe{45AAC21C-FC2B-63D0-9203-00000000BA02}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000076603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:47.234{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:47.234{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:47.234{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FC2B-63D0-9203-00000000BA02}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000076600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:47.236{45AAC21C-FC2B-63D0-9203-00000000BA02}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:48.818{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A57F905880A667FB764D7D637EA0396,SHA256=B9C8FEA5527FCB5E53ED574BD04CE5E9BB5395CE3DC67C9AADF406B9FD8BCFE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:48.291{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0AA6F74E8897EAF3B21CBD76366BF26,SHA256=3E1098DDD95187A35AD03F3703B8B9931CA14D0D53A18F5D89C1478B261CE102,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:48.144{45AAC21C-FC2B-63D0-9303-00000000BA02}70765660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:48.075{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FC2B-63D0-9303-00000000BA02}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:48.075{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FC2B-63D0-9303-00000000BA02}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:48.075{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FC2B-63D0-9303-00000000BA02}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:48.075{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FC2B-63D0-9303-00000000BA02}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000034398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:49.909{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59C845861D3BB92320159052C273198A,SHA256=250EE362A0219149C7A47DFEF07911CF028AAA6318839135D696D67D8EF74EEF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:49.994{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:49.994{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:49.994{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:49.994{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:49.994{45AAC21C-ED08-63D0-0500-00000000BA02}420436C:\Windows\system32\csrss.exe{45AAC21C-FC2D-63D0-9403-00000000BA02}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000076626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:49.994{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FC2D-63D0-9403-00000000BA02}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000076625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:49.995{45AAC21C-FC2D-63D0-9403-00000000BA02}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000076624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:49.381{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=995126657459CDF8956944235A7F29D7,SHA256=310001ABF1090DD9FEA1B62B0982BDF2F9D3B417D128E2BEF9E8042C6910A29C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:50.996{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95E2A63567A24A0805D1968DFF1F5D3B,SHA256=21F91256E76CC9D721A1F357CB0A76D74B5505102E9D7F357FA38DEB08914FCC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:48.697{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49369-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000076637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:50.440{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91DF60DC41554CAFC64FC516047C5604,SHA256=3D2DD62ED5AD4E8A9DBD250051B6B87D58003032333E5FE59AECB45C720153FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:47.091{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50470-false10.0.1.12-8000- 10341000x800000000000000076636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:50.063{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FC2D-63D0-9403-00000000BA02}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:50.063{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FC2D-63D0-9403-00000000BA02}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:50.063{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FC2D-63D0-9403-00000000BA02}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:50.063{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FC2D-63D0-9403-00000000BA02}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:49.994{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FC2D-63D0-9403-00000000BA02}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000076640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:51.514{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D084F8C2B452A0DFF5F94D2797F86233,SHA256=AC09D27CEF0FA21F049B8CD4C0C5719FF60192FD928034E83B2BEB39FB4F7BF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:51.405{72106695-ED09-63D0-1C00-00000000BB02}1892NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\respondent-20230125084915-062MD5=4A845FE96E1CB901D2D7264E475C5D0A,SHA256=805658FE4E43678F2368D193C16F752D5AE58460E17C63B3F32526AFB5DF27A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:51.013{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3DDF01E6EF91E37F1930C5BC74F95C36,SHA256=98EE5A0921C9050AE8F97C32329AF8E0B429F61C2AE80743FF1EBC66FDF02EED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:52.582{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C735582B4F2BF7BF1994CBC52F29E9E8,SHA256=78DADF832B6B0DFB845CB0447481C8FC02485708C6B7DEDE8EBDD396502A0460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:52.404{72106695-ED09-63D0-1C00-00000000BB02}1892NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\surveyor-20230125084913-063MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:52.174{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11DC15391ABE8A4A5EB750AB37096A18,SHA256=B68C6FAC4102E6ACB7B811C40822FCC3B435A3C337FFD2FE085DF8519421A34A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:53.619{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=001F9DDD3BB83682295AD71073DD1713,SHA256=3C78ED01E01FEDEC2B587ED91AD9192C3FB87C2ACB8317697DF087F05A22CA2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:53.238{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD376C94E72E5848AD9F358DF8D2AB74,SHA256=DA70595138BD71166C6EE2384FC9247C6809B4CBABB64CD8A1C894286CD10EA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:54.656{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=029DA26341A50D341429B872697FD268,SHA256=098E85C67B8F0C1C02969446129252E04BDE4F5E2DBD95B104C77CEF6597587D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:54.320{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A15C59985EE2DE6535F76689C684DA6,SHA256=804DE0AF59F1D0E55E07A2B98ED88FF21166FCCC05C4CBCD1481F1BB8193363E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:53.807{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49370-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000076644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:55.677{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1E56B60AADBF554FDC5E2A215B44917,SHA256=1A5E0888ADEA205A3B4B2A66A99D376DEF684EFF662F9A791D718BE35A41EA08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:55.393{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=597E0370F1B05F02CBF724564AEE39A6,SHA256=D99BD4D9022A6C0F31EC664D90CEBD6CB42398B256125E916E4583DF31A33959,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:52.966{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50471-false10.0.1.12-8000- 23542300x800000000000000034407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:56.460{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39E6319F5D74B3ED68C822A137B0A108,SHA256=A06819CA052826C7A16F4F828EBFDC5D1D600EAC2D7FCDBA02CE9D2FC906A24F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:56.724{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25F5013876F37F39C30D22134B7DD13B,SHA256=2986FFB7980FECAF48AAF0276927D8DFB8010B384C75C7F914A8271C11453003,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:57.534{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3B48AFA937D028ECD406FC86DD4DAC1,SHA256=50C1F1C9F6DC6D588FF9FA176989E4E069E491476BF2B96925AE49763DFFAFD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:57.757{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78CDC287D9979B2F65C11E7AAE2D75A5,SHA256=2A63DE3271F39B4518869A3C14E615F543D9BDFBF4CFF4D6DD0E93ADC4C544EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:58.612{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1B629285A7A9EF8CF71902FDC26B844,SHA256=4B6D6B8B96D6CB9A2F468E830C062DC44C1A1E0950C42C568114E67883FE2228,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:58.826{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C3E06A3BED8FB29DD2785A4646FC122,SHA256=ADE0A5BE4573B0F12252CDAD6ACE5C62120D321B7EBCE4C72D86977374AF2F1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:58.109{72106695-ED09-63D0-2000-00000000BB02}2008NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=208A0855B057FB8A759B200671EEAAAB,SHA256=4A816DAC111ED5FDBDAE980BDFE311157C048B1497DEC7CCCB455ED2F3EEA51C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:59.703{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E124CD017DDDCD31CAB45CFC0D278C5,SHA256=CC27862A267E0E392DF4759B547E328FBCE996DFA5723B0DFF2DC2263EFD3891,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:59.862{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C75777CA468225DCA1A0ADB130957F4B,SHA256=E4360C0A793F36407EC44C448CD4E7D9129ADE2AAF018D2516E61A35B7ECE264,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:00.961{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1000-00000000BA02}444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:00.940{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0F00-00000000BA02}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:00.926{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0E00-00000000BA02}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 23542300x800000000000000076654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:00.909{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFB0B7E0915BD50499F80FEE68C0D954,SHA256=8C8FAB154AC8D2B3B3EB56690A5EC6879FF81F2B7A702719ACAE2B7FD0898D36,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:00.897{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0D00-00000000BA02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:00.882{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0C00-00000000BA02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000034429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:00.998{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1800-00000000BB02}1732C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000034428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:00.995{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1700-00000000BB02}1240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000034427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:00.982{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1600-00000000BB02}1192C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000034426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:00.958{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1500-00000000BB02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000034425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:00.943{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1400-00000000BB02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000034424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:00.938{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1300-00000000BB02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000034423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:00.929{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1200-00000000BB02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000034422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:00.918{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1100-00000000BB02}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000034421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:00.913{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1000-00000000BB02}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000034420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:00.908{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0F00-00000000BB02}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000034419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:00.900{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0E00-00000000BB02}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000034418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:00.890{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0D00-00000000BB02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000034417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:00.884{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000034416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:00.877{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0B00-00000000BB02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000034415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:00.875{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0900-00000000BB02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 23542300x800000000000000034414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:00.788{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50BAD7C3A944C0E90936B4E2E0E94014,SHA256=7CDD741A3047F66346C205E506F18C04F4FF86EA728AC248B5AC8FA3D6CC9F5A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:53:58.098{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50472-false10.0.1.12-8000- 10341000x800000000000000076651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:00.808{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:00.804{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0900-00000000BA02}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 23542300x800000000000000076677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:01.922{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30C339F576872444EAF9410B1BC89A84,SHA256=DBC61EEDB1B1A23CEA9E7E3A48B512936C1C1C387D25F06627FFE32DA03D6F4A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:53:59.707{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49371-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000034444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:01.897{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1858F7418BE87A3E94DD26718250958A,SHA256=46D722AE3D365AA35944CE6AF1917326A152427E244DFA97E06C47B0CA17FDB9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:01.717{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2E00-00000000BA02}2692C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:01.712{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:01.708{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2B00-00000000BA02}2664C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:01.180{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:01.174{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:01.166{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:01.144{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2700-00000000BA02}2576C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:01.142{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2600-00000000BA02}2568C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:01.131{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2500-00000000BA02}2484C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:01.123{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED14-63D0-2300-00000000BA02}2340C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:01.120{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1800-00000000BA02}1992C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:01.117{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1700-00000000BA02}1492C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:01.103{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1600-00000000BA02}1324C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:01.085{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1500-00000000BA02}1152C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:01.068{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1400-00000000BA02}344C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:01.055{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1300-00000000BA02}364C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:01.034{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1200-00000000BA02}408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:01.024{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1100-00000000BA02}704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000034443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:01.037{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FB5F-63D0-3102-00000000BB02}3068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000034442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:01.034{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED83-63D0-8200-00000000BB02}508C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000034441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:01.032{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED1B-63D0-6D00-00000000BB02}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000034440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:01.030{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000034439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:01.029{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-4000-00000000BB02}1980C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000034438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:01.027{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-3C00-00000000BB02}2964C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000034437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:01.026{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2B00-00000000BB02}2876C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000034436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:01.025{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2600-00000000BB02}2596C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000034435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:01.024{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2500-00000000BB02}2436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000034434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:01.021{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2200-00000000BB02}1172C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000034433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:01.019{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000034432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:01.011{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000034431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:01.008{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1C00-00000000BB02}1892C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000034430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:01.004{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1A00-00000000BB02}1856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 23542300x800000000000000076678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:02.994{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C7BA423BC4012B8EA2FB2BC67CEFA35,SHA256=CC40E7AEB6629D5378FB5216DD78DAEBFC8549963919CE9529E637C5EA7CC0C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:02.944{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE604B8B4F1D2E484E86728480102DCF,SHA256=6AE64F7CA479BCE6AE226D2872AB63063654FA5CB8BD40CEBB63A1A3B2D91AD6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:03.759{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3300-00000000BA02}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:03.757{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3100-00000000BA02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:03.753{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2F00-00000000BA02}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:04.660{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99E-63D0-4403-00000000BA02}4716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:04.652{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4303-00000000BA02}220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:04.642{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4203-00000000BA02}8108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:04.637{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99C-63D0-4103-00000000BA02}4940C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:04.630{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F998-63D0-3F03-00000000BA02}6856C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:04.628{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F993-63D0-3A03-00000000BA02}5848C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:04.619{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F990-63D0-3703-00000000BA02}5072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:04.613{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F990-63D0-3603-00000000BA02}7836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:04.608{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3403-00000000BA02}8152C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:04.605{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3303-00000000BA02}5868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:04.599{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3203-00000000BA02}1380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:04.585{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3103-00000000BA02}7700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:04.546{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:04.515{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:04.513{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A202-00000000BA02}5720C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:04.511{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A102-00000000BA02}7492C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:04.502{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F3FF-63D0-5202-00000000BA02}7716C:\Program Files\Process Hacker 2\ProcessHacker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:04.498{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED93-63D0-C200-00000000BA02}5684C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:04.457{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:04.428{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:04.357{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:04.342{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-8E00-00000000BA02}432C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:04.305{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4D-63D0-8900-00000000BA02}4888C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:04.293{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED36-63D0-8100-00000000BA02}4176C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:04.290{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED35-63D0-7F00-00000000BA02}3432C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:04.286{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED2C-63D0-7B00-00000000BA02}532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:04.283{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:04.281{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1B-63D0-4500-00000000BA02}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:04.278{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-4100-00000000BA02}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:04.276{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-3800-00000000BA02}3276C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 23542300x800000000000000076682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:04.047{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A4399DDF4BA07179E0488CA182EC2D0,SHA256=168D98F6D37DB3D0D7D4FBA5D9992789B5387DEA9945E9194A24D3F530F91684,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:04.018{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB0CA828634153F3C8ABB77A81BD38F7,SHA256=2D1496C7471C9C8B05FCF1B5FF013C61A69B15A517AA6661C5D34C7F197E6363,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:05.400{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE7381DFAE2685860FDA3F613695F24F,SHA256=2FEDB61112F7C6784CEAF117684F9A42BCA431D27561F17063FF0A0C5D0DDB61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:05.102{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DFE5043C5A913612750633324C31A11,SHA256=F84355EED1ACD03693354D1A326C09CCCE85E2DA19FB392CE455763A0FAA4448,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:06.479{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97C48095565A24E07B62512D50999B2C,SHA256=0AE76AAA4B3436B6057DFE1160554DEE33786904177552D25D53CAA4C99795AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:03.967{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50473-false10.0.1.12-8000- 23542300x800000000000000034448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:06.187{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3F9602A1A0BFE39CC10169FDC6A83E6,SHA256=94B783BD651D8093ECD31401CB219E2C316D466CFFD6C6FB14F9DD8981D51BCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:06.104{45AAC21C-ED18-63D0-2F00-00000000BA02}2700NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\respondent-20230125084931-062MD5=FB1204BD5E1FCB9F00F3D30191CDD410,SHA256=AD3DE377B45C073DC7811942D8C17D2EDF88FCE93F4C4FD49345F5808DA79585,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:05.714{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49372-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000076717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:07.554{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5992B68966008F4400818AAF99C6C8AD,SHA256=D028CF71F9C26DA79B4B31DDA731069BF19E518FDD928612AD6CAA44FE774D8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:07.264{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F50732756D52707AD94D49F1CF72173,SHA256=C67B924D06F248084EB05BFEAD024C5DF09A7474797FB17189DE555F28A68C31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:07.106{45AAC21C-ED18-63D0-2F00-00000000BA02}2700NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\surveyor-20230125084929-063MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:08.638{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CE647AB35FB4612AA81513BB25A29CE,SHA256=878326FF0C0F223C51B736274889CE768823E73735EBA9235ECF5F0117D9BB76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:08.348{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FDFDDEEA0304D60FCF88540D0379562,SHA256=368955B1E968189F8F7D123A809F64D510B08EAA6CA2812D13A5DF1E42B7918C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:09.711{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E0E36E6EC4D6A0C42900A9FE462AFC2,SHA256=30E2BF2079E456C02CD68DE4F0BB2AC07FDCD8DCD9C26A3A476B254DC3D7B5A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:09.423{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED286FED10338876772118333A3E14EA,SHA256=DA0875E0B540DD84062CAD332E1ED2DD7281E2C16211B211F917F8F9AEA256B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:10.762{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD1F02641DAC040D600E9837B86A3E15,SHA256=C49BCEE017846D5FA8BF3662A8D4B31A5834B933442F53E32E2FE99CD24FE906,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:10.501{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB346AF9847E16123EDCD69EC9022860,SHA256=F44A45E330944B48E07837DD436EF251D6D254D9F4E0DD42F17240F67AE5C106,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:09.091{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50474-false10.0.1.12-8000- 23542300x800000000000000034454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:11.583{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6B28EBA53EF87111BBE7E79B7B4A530,SHA256=40EBD1BD2B09F4182DB89354927EC5549DB3FBDE7C48C61276E2B4C0961B03B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:11.844{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=034CB2CD40B830F01C714A873CD2237F,SHA256=35733289CC0EDB01478452C44028D235210745743A4AAD8E686389F14D216994,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:12.667{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8E7E05B811045DAAFC07F41D1F97DB0,SHA256=D5BD0A0E24470D5DA670D26A732C1144011469250F44F528A0B4B0C7F615CF88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:12.915{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ACB2D6280CF81AB45071466DE952BF8,SHA256=832E6B3EDA6307E0C51B34212A8319C623ADD3B4B48C0EA93D9BB06B06D0BEB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:13.754{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6B870E602F828AB6E3C8F416FBCA8AE,SHA256=41AC1842549C60F73C50DF8821D35120330412E394C32415ACF4F74B71BB0889,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:10.864{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49373-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000034459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:14.838{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C1E1E806069DB920085A152C0CB66CB,SHA256=4AF7A1CD0E4EE329D56479530EF16A442BF5300555DD6345E5EB6CFB9F37E2A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:14.619{72106695-ED08-63D0-1100-00000000BB02}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=5AB86D6AFE9A6BA6B00BDA9BCEE7EA34,SHA256=3987D75D41E1577E883B9A63B32FAC484CD2B40CDCAF883758F79FFBB3BD2B66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:14.649{45AAC21C-ED18-63D0-2C00-00000000BA02}2672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=40A5BDA7AB864664AB93F12DC7F845A6,SHA256=63EC178BE3C24AC20E2301F31A8FCF18410FF35697D77DD40544627662CBF4AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:14.016{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38F9C04B3D31521956EA04B6A616CE65,SHA256=15A4A598C375220C75694DD41B15FD59F3CC2AEF04A031D915F46DE5A4B3530B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:15.913{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDF3702A71A9E7773FA7A140C0F7685C,SHA256=46B58FD301730743C167DC979511611E34E6291071C8167212EB5FDB3BDB08A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:15.867{45AAC21C-ED0A-63D0-1100-00000000BA02}704NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=C113F42C854EE90AE7E2FB66E6F77D5C,SHA256=6050D47E79B5D6845035BE778F3A63EF82575D757163542D3673D5A3640CD3BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:15.118{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9394EB7918589807E05A39B7D0B2C7F,SHA256=26599E9544131C7FEAF87F6943CDEF6D807E803C2320E5F59191953148A7BB2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:16.987{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16EF8A3F51189516BF4C1CB99FDC6577,SHA256=69BBE65AD83B0D7652A7FE0D07C2A228683DFC968C8E8EDD936990A80DDCD5C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:16.170{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4B8B51376FA57236A97D85035718063,SHA256=407F7F6BC2188EE4E16CB7CC53DF181EB0EDEB766912E268914947EE6703CC12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:17.202{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8B2E605D02439964600BF7B7FA77C7B,SHA256=7F7189DB751D74C0FB4AC5DFFB809F7601AA7AD987BF3D6C9D8B14B012C04E34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:18.358{45AAC21C-ED18-63D0-2C00-00000000BA02}2672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:18.260{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7698981440C7536665A6408098AA14E,SHA256=394A06BC75D4DEBA0F8724F342FD9B4B2495DFF0805440AE46AA5E855559B5F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:14.989{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50475-false10.0.1.12-8000- 23542300x800000000000000034462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:18.088{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A021FCF36CA461E365F75D870D631940,SHA256=0DF401274088FDC41AB8AF6FD96EA053F9483E0BE5193AD84F2409088E6F703C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:19.359{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53FFF864FC1826AAD4F475562C8D6766,SHA256=1102416608C237D7EF3ED2674BF2F4461E00FBB31A18335802E9CA72F07EA4C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:19.152{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE7631F8D8C416568D7735EC1B9AE50A,SHA256=FCDA2FF10D3D0EFCF2A11EB90C7C4982DE927EA474E39518AC12829A0E6A35F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:16.810{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49374-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000076746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:20.987{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1300-00000000BA02}364C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000076745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:20.978{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1200-00000000BA02}408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000076744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:20.969{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1100-00000000BA02}704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000076743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:20.937{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1000-00000000BA02}444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000076742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:20.921{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0F00-00000000BA02}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000076741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:20.910{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0E00-00000000BA02}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000076740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:20.898{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0D00-00000000BA02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000076739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:20.889{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0C00-00000000BA02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000076738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:20.835{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000076737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:20.829{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0900-00000000BA02}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 23542300x800000000000000076736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:20.409{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=916CF06231CAB9B78A21A45C0087D85E,SHA256=645E2BB0B08B8B8DAE1BB572EB4B9238C81F0B7D27165C04B0CE7E84EF70DA34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:20.977{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000034482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:20.975{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1C00-00000000BB02}1892C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000034481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:20.974{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1A00-00000000BB02}1856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000034480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:20.968{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1800-00000000BB02}1732C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000034479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:20.966{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1700-00000000BB02}1240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000034478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:20.956{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1600-00000000BB02}1192C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000034477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:20.938{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1500-00000000BB02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000034476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:20.931{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1400-00000000BB02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000034475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:20.925{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1300-00000000BB02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000034474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:20.919{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1200-00000000BB02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000034473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:20.913{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1100-00000000BB02}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000034472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:20.907{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1000-00000000BB02}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000034471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:20.902{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0F00-00000000BB02}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000034470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:20.895{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0E00-00000000BB02}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000034469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:20.893{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0D00-00000000BB02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000034468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:20.890{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000034467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:20.881{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0B00-00000000BB02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000034466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:20.879{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0900-00000000BB02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x800000000000000034465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:20.246{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=919934038E3519B9CED4E27C57F8F7C1,SHA256=BF383F725DF499B84452D05800ECA716037AE571AA1F505238BDA39C44C0600D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:17.979{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49375-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000034495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:21.455{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=855A89D072148C7C9AEA3CB974B21C90,SHA256=D29AEB1426C5AD54C30CF7F7D7839E96272EFCFFA66D6CBF6B661C87B5EA7AD9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:21.815{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2E00-00000000BA02}2692C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000076761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:21.811{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000076760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:21.807{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2B00-00000000BA02}2664C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 23542300x800000000000000076759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:21.451{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=207AFF53752DDA27A4CD148E2741046B,SHA256=3613485E98D4C4747577B04BFFAA8B11C46903453842F2626EB7F0406755CD1F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:21.132{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000076757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:21.118{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000076756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:21.107{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000076755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:21.064{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2700-00000000BA02}2576C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000076754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:21.061{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2600-00000000BA02}2568C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000076753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:21.050{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2500-00000000BA02}2484C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000076752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:21.039{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED14-63D0-2300-00000000BA02}2340C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000076751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:21.033{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1800-00000000BA02}1992C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000076750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:21.029{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1700-00000000BA02}1492C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000076749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:21.023{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1600-00000000BA02}1324C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000076748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:21.008{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1500-00000000BA02}1152C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000076747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:21.003{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1400-00000000BA02}344C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000034494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:21.020{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FB5F-63D0-3102-00000000BB02}3068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000034493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:21.017{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED83-63D0-8200-00000000BB02}508C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000034492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:21.015{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED1B-63D0-6D00-00000000BB02}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000034491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:21.013{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000034490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:21.011{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-4000-00000000BB02}1980C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000034489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:21.009{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-3C00-00000000BB02}2964C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000034488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:21.008{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2B00-00000000BB02}2876C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000034487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:21.008{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2600-00000000BB02}2596C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000034486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:21.006{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2500-00000000BB02}2436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000034485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:21.003{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2200-00000000BB02}1172C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000034484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:21.000{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x800000000000000034496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:22.780{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8683F8A927AFA1840258B7F225517E68,SHA256=0CFB631E914EBFA7BC550032AA1F8D69C36F74A8BFAA359AF6D92A305C147C24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:22.488{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D4B7BC1534C73CDF4B87FE618539F7E,SHA256=56468026E5B6E219328BDD37216892EB880C9202FA3B6D64CA06EF039CE05D6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:23.955{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50F042C0681336483DB9FEF9632D6915,SHA256=7CCBC8076799FC0BA03ACA3CFCDB9C7B9F4D78EA1CE7F32E8E27CE1C1B3DD148,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:23.865{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3300-00000000BA02}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000076766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:23.861{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3100-00000000BA02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000076765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:23.858{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2F00-00000000BA02}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 23542300x800000000000000076764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:23.558{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ABCDD3FF19CBF897B523874662CF297,SHA256=2FD0FEE7E01DC7CC6FA17C4A676211A3B2893E9648DF7DBA0C5C2E5C00FC741C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:23.236{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED08-63D0-0B00-00000000BB02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:23.236{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED08-63D0-0B00-00000000BB02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:23.236{72106695-ED08-63D0-0B00-00000000BB02}6243468C:\Windows\system32\lsass.exe{72106695-ED08-63D0-1500-00000000BB02}108C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:23.220{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1F00-00000000BB02}2000C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000076837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:24.764{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27D35D18770413B79BD8B816A588FB14,SHA256=18177E2A47AA90AEF23DCBE25F88A6D2920F1421A8D34EA0D19551A937043D3A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:24.712{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99E-63D0-4403-00000000BA02}4716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000076835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:24.705{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4303-00000000BA02}220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000076834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:24.696{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4203-00000000BA02}8108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 354300x800000000000000034502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:20.996{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50476-false10.0.1.12-8000- 10341000x800000000000000076833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:24.693{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99C-63D0-4103-00000000BA02}4940C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000076832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:24.688{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F998-63D0-3F03-00000000BA02}6856C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000076831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:24.686{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F993-63D0-3A03-00000000BA02}5848C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000076830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:24.682{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F990-63D0-3703-00000000BA02}5072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000076829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:24.676{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F990-63D0-3603-00000000BA02}7836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000076828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:24.671{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3403-00000000BA02}8152C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000076827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:24.663{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3303-00000000BA02}5868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000076826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:24.659{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3203-00000000BA02}1380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000076825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:24.645{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3103-00000000BA02}7700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 23542300x800000000000000076824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:24.616{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17813DE0586A8BE49ABE2A3253E979E7,SHA256=E092FF537477BD9FB1AF1D7C1295D5CD65792567B32F78C50ABBB8A730653BA9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:24.604{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000076822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:24.603{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:24.603{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:24.603{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:24.602{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:24.602{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:24.602{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:24.602{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:24.602{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:24.602{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:24.602{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:24.602{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:24.601{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:24.601{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:24.601{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:24.601{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:24.601{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:24.601{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:24.601{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:24.601{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:24.600{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:24.600{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:24.600{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:24.600{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:24.600{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:24.600{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:24.599{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:24.599{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:24.599{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:24.599{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:24.599{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:24.598{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:24.598{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:24.598{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:24.598{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:24.598{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:24.597{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2B00-00000000BA02}2664C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:24.597{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2B00-00000000BA02}2664C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:24.562{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000076784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:24.558{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A202-00000000BA02}5720C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000076783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:24.549{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A102-00000000BA02}7492C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000076782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:24.544{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F3FF-63D0-5202-00000000BA02}7716C:\Program Files\Process Hacker 2\ProcessHacker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000076781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:24.541{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED93-63D0-C200-00000000BA02}5684C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000076780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:24.517{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000076779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:24.499{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000076778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:24.443{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000076777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:24.434{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-8E00-00000000BA02}432C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000076776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:24.410{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4D-63D0-8900-00000000BA02}4888C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000076775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:24.400{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED36-63D0-8100-00000000BA02}4176C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000076774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:24.395{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED35-63D0-7F00-00000000BA02}3432C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000076773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:24.387{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED2C-63D0-7B00-00000000BA02}532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000076772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:24.382{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000076771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:24.381{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1B-63D0-4500-00000000BA02}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000076770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:24.377{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-4100-00000000BA02}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000076769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:24.376{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-3800-00000000BA02}3276C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 354300x800000000000000076768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:21.887{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49376-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000076838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:25.599{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D49E410906B53B2D54FA9F58D0879B40,SHA256=522335DE8AF82E7258DC286C8E8DDC446AA64DD68823138C0DAC3DAF883F5952,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:25.053{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=749549DE4603EEF808A17B1261604580,SHA256=30148E83D8E9E6BFF9DC1B571FA8B5141DB36D750B9FF3D87DEAC98CCE040EAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:26.648{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C47E0F48927D0EAA8599A8439BD4B3A4,SHA256=9475364755346E16DE1B548C3A80FACFB80C3EF8E6CDFE652AD3352B52D63491,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:26.570{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FC52-63D0-4E02-00000000BB02}1776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:26.570{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:26.570{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:26.570{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:26.570{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:26.570{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:26.570{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:26.570{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:26.570{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:26.570{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:26.570{72106695-ED07-63D0-0500-00000000BB02}408524C:\Windows\system32\csrss.exe{72106695-FC52-63D0-4E02-00000000BB02}1776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:26.570{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FC52-63D0-4E02-00000000BB02}1776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:26.570{72106695-FC52-63D0-4E02-00000000BB02}1776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:26.125{72106695-ED09-63D0-2000-00000000BB02}2008NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:26.125{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABF5163307B5BD56EBF56B708E732ABF,SHA256=E0056B655286FBCDB10033FDA557716D28D506FC73231ACECD138ED85E3FBEE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:27.765{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A1AE731B4B0B77699181BEE4E1FF63B,SHA256=64D40E3DEB754C2D06A75839EF43DBC01D08B7464F4496A6A5B074397BAE941B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:27.880{72106695-FC53-63D0-5002-00000000BB02}9882068C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:27.740{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FC53-63D0-5002-00000000BB02}988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:27.740{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:27.740{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:27.740{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:27.740{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:27.740{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:27.740{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:27.740{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:27.740{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:27.740{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:27.740{72106695-ED07-63D0-0500-00000000BB02}4082644C:\Windows\system32\csrss.exe{72106695-FC53-63D0-5002-00000000BB02}988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:27.740{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FC53-63D0-5002-00000000BB02}988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:27.741{72106695-FC53-63D0-5002-00000000BB02}988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:27.615{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A97593A9225E5F82ED9087A5394EF0C5,SHA256=F80A6FA355F533924E50F380745C05FD052EAE453AF1E367800F0E41AA958CB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:27.318{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=FABB74B0145F31076CA489749BB7A838,SHA256=B16F986E357E879B29F9300A3B5AD0AC9FB5D1C230BD909A5C4667B0F3AEBB17,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:27.240{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FC53-63D0-4F02-00000000BB02}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:27.238{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:27.238{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:27.238{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:27.238{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:27.238{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:27.238{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:27.238{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:27.237{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:27.237{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:27.237{72106695-ED07-63D0-0500-00000000BB02}408524C:\Windows\system32\csrss.exe{72106695-FC53-63D0-4F02-00000000BB02}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:27.237{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FC53-63D0-4F02-00000000BB02}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:27.237{72106695-FC53-63D0-4F02-00000000BB02}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:27.210{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAC70BC040FD29AFE4E8D808C01BDDC8,SHA256=7C0F728FBD873F670F6E5BACFB2EBBF9B396BCE3A8CE7897B4B0196BEED4BCB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:28.850{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=992DA95BCA92EBAC10E2B354865E1BC5,SHA256=AAFA66CB372352F4E0EE39AE23C5DEFA28EC11AC72C6D336D003CC1887A1CFB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:28.354{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05392EC41B69713C11BB2175E760A208,SHA256=EAD1D8D14A73B6745BF5EBB4C8BEA98CD2F444DE214716685E3B70ADB7CDA5ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:28.323{72106695-ED09-63D0-2000-00000000BB02}2008NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=F3216CB26BCB4FF4E9D7EAC82B7C8AFD,SHA256=28D8C4B2B6602A5DD051ED8C25A506B9FA4C7EB55E6BD3496178E5A4558216B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:25.006{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50477-false10.0.1.12-8089- 23542300x800000000000000076842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:29.982{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBD43A5D1865616D82ABD152FC726385,SHA256=39CD2053A4038EF8CD76171A3D364CA6A115FF41FEE276F2CE5445F74F13DB08,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:29.384{72106695-FC55-63D0-5102-00000000BB02}664832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000034569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:29.267{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7142E06696589DEA41169F0169E3EBB,SHA256=66542A028442219A4B2A8494D3FA4C5BFCB4A71F261AE7C41802286EA47D7BE7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:29.260{72106695-ED09-63D0-1F00-00000000BB02}20002816C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FC55-63D0-5102-00000000BB02}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D383D0) 10341000x800000000000000034567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:29.260{72106695-ED09-63D0-1F00-00000000BB02}20002816C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FC55-63D0-5102-00000000BB02}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D383D0) 10341000x800000000000000034566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:29.260{72106695-ED09-63D0-1F00-00000000BB02}20002816C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FC55-63D0-5102-00000000BB02}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D383D0) 354300x800000000000000034565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:26.091{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50478-false10.0.1.12-8000- 10341000x800000000000000034564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:29.222{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FC55-63D0-5102-00000000BB02}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:29.222{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:29.222{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:29.222{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:29.222{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:29.222{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:29.222{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:29.222{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:29.222{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:29.222{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:29.222{72106695-ED07-63D0-0500-00000000BB02}408524C:\Windows\system32\csrss.exe{72106695-FC55-63D0-5102-00000000BB02}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:29.222{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FC55-63D0-5102-00000000BB02}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:29.223{72106695-FC55-63D0-5102-00000000BB02}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000034585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:30.537{72106695-FC56-63D0-5202-00000000BB02}10763696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:30.388{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FC56-63D0-5202-00000000BB02}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:30.388{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:30.388{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:30.388{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:30.388{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:30.388{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:30.388{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:30.388{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:30.388{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:30.388{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:30.388{72106695-ED07-63D0-0500-00000000BB02}4081028C:\Windows\system32\csrss.exe{72106695-FC56-63D0-5202-00000000BB02}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:30.388{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FC56-63D0-5202-00000000BB02}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:30.388{72106695-FC56-63D0-5202-00000000BB02}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:30.356{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2584C9F86070205759F27D5831EF7689,SHA256=68F303228D09413F5DD90373424FC742D1F7663A7D64F73A09CD3E456884C560,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:27.770{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49377-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000034600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:31.790{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F90A75E7965DFF0B8A691975783EABDC,SHA256=5B40C60D5D31632336877651D0D93D660A3C4BFC070DAA5281D2AA5E91394701,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:29.340{45AAC21C-ED06-63D0-0100-00000000BA02}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local138netbios-dgm 354300x800000000000000076845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:29.340{45AAC21C-ED06-63D0-0100-00000000BA02}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 23542300x800000000000000076844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:31.083{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5761BAE1864EDE6006BBED9DD51EA46E,SHA256=F9AE8A33F81DB3F4CA199913E7A290F3A411E0A20ACE6FFD058E5625167D231C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:31.203{72106695-FC57-63D0-5302-00000000BB02}2336304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:31.062{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FC57-63D0-5302-00000000BB02}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:31.062{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:31.062{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:31.062{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:31.062{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:31.062{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:31.062{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:31.062{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:31.062{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:31.062{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:31.062{72106695-ED07-63D0-0500-00000000BB02}408424C:\Windows\system32\csrss.exe{72106695-FC57-63D0-5302-00000000BB02}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:31.062{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FC57-63D0-5302-00000000BB02}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:31.063{72106695-FC57-63D0-5302-00000000BB02}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000034614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:32.836{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FC58-63D0-5402-00000000BB02}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000034613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:32.836{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA5C13B635494763ABB2AD62FE405ECE,SHA256=0922C350F3664BEB32E3FF2E421F048B2FA3D9C6A4C9A2BCDA8348BAF55148D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:32.836{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:32.836{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:32.836{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:32.836{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:32.836{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:32.836{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:32.836{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:32.836{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:32.836{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:32.836{72106695-ED07-63D0-0500-00000000BB02}4082644C:\Windows\system32\csrss.exe{72106695-FC58-63D0-5402-00000000BB02}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:32.836{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FC58-63D0-5402-00000000BB02}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:32.837{72106695-FC58-63D0-5402-00000000BB02}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000076847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:32.202{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E7DF9577026CC97284CF55703EB110A,SHA256=F9BB7916F1DAFE178F47E72CA2DF1D0D30AE3ADC965647EF2008B52173CC225B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:33.911{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=591D40465E58F0CBE5D68D54F678D01B,SHA256=79645AAA163EF3C316465F1B25DD245A5E304569F1D4ADB806B583B92E122405,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:33.895{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C709DC5D6FF1BCFBBB77865507E16AA,SHA256=B61D20564F8F1B45F7C446B0DB8AD430FE390F2EA38890ABBC480A3DEF7348BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:33.337{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3300E9569CFF11B2614D29205A186404,SHA256=A20E018E584C08C79AD153FC0F2DE38DFFC856B35A385514A444F46ACC6AC3C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:34.992{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8E2DC58DBCF3D4984ACC4C398A322BE,SHA256=6015F0E04AEFF5C7896A44F6BB3C79D490B22D15CCAF8771A4CF171907E3139C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:34.409{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADDD8054EE7C362AA8F2BCEAFD2B3532,SHA256=0B6F7FAD0AA89427D5AAC0281E5C4BF408B9783F212B1E852AF7F03EA8EFC1F4,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000076849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-25 09:54:34.031{45AAC21C-ED0A-63D0-1200-00000000BA02}408C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d930a3-0x070e458a) 23542300x800000000000000076852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:35.487{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BD5B92A37582461E63B26E242DFFF6B,SHA256=8EA2528763438601EF8F69E4DB5F604986403CFE03B556140A2E4B7F40A902BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:32.070{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50479-false10.0.1.12-8000- 354300x800000000000000076851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:32.890{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49378-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000076853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:36.506{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0658F58E65A476B178DE52BE9D78DD5F,SHA256=CC24A648128FA60CFAB4F097E740F23A52A90F221F3BD0AF7C9E79BA3864A1E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:36.080{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1270AC2D6304EAF5D2A30470717CD8E3,SHA256=C1D18177719957E030BA5DB753E4E6EC01770AA04AE71CEBC2BE2266CF42C23D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:37.636{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F3EE70E83B48538A5AA21612C2C6649,SHA256=9B3C1EA173A6D5ACA0F5CE96BBA005CAAC82226E0BE2A1A995405FCCBC8C7F97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:37.171{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ED4CE16354E6B8C11D1E3898E264DD9,SHA256=BC3FA5D53F516D1954F957F4BFB17CC176B40AD8D9F26C963E8EDB5265C7820B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:38.737{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BB1C7F925C5F691082B3FA3F90788C9,SHA256=4FD3AACE271B168FEDD3742DB0E466A2B807052FF354DE6691F625877F99D2A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:38.254{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FB16E064B37AF1C3D76E5810267A6F4,SHA256=57EF7373FE14C22462C9D5A512C79A713FA9A741AB564CE570B4604E1EAA0F71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:39.761{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4C293490A71D1F15B6E282866E91651,SHA256=3B4FF0AE4679F6EBEC4ACC2A84813CBFD9699AE28EB3E76F9C4F4E7F942DDC52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:39.337{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DA03081A965846259A90F68F4335CAD,SHA256=3AA49AA93B4BCEE34317F8D1B6C89AE67161E84CF6E767A2616AE801A0D4798E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:40.989{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1000-00000000BA02}444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:40.975{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0F00-00000000BA02}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:40.957{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0E00-00000000BA02}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:40.933{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0D00-00000000BA02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:40.904{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0C00-00000000BA02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 23542300x800000000000000076862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:40.837{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=249E7DFA0A296D427DDBE42C15C3F101,SHA256=DB7E9391606603E94877B2F9854ADDCA87A87E3C64D4408AD1F6BAE78C04C486,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:40.815{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000076860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:40.813{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0900-00000000BA02}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000034642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:40.999{72106695-ED09-63D0-1F00-00000000BB02}20003952C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AEDA190) 10341000x800000000000000034641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:40.990{72106695-ED09-63D0-1F00-00000000BB02}20003952C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AEDA190) 10341000x800000000000000034640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:40.988{72106695-ED09-63D0-1F00-00000000BB02}20003952C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1C00-00000000BB02}1892C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AEDA190) 10341000x800000000000000034639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:40.986{72106695-ED09-63D0-1F00-00000000BB02}20003952C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1A00-00000000BB02}1856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AEDA190) 10341000x800000000000000034638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:40.980{72106695-ED09-63D0-1F00-00000000BB02}20003952C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1800-00000000BB02}1732C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AEDA190) 10341000x800000000000000034637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:40.978{72106695-ED09-63D0-1F00-00000000BB02}20003952C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1700-00000000BB02}1240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AEDA190) 10341000x800000000000000034636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:40.968{72106695-ED09-63D0-1F00-00000000BB02}20003952C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1600-00000000BB02}1192C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AEDA190) 10341000x800000000000000034635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:40.948{72106695-ED09-63D0-1F00-00000000BB02}20003952C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1500-00000000BB02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AEDA190) 10341000x800000000000000034634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:40.942{72106695-ED09-63D0-1F00-00000000BB02}20003952C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1400-00000000BB02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AEDA190) 10341000x800000000000000034633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:40.936{72106695-ED09-63D0-1F00-00000000BB02}20003952C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1300-00000000BB02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AEDA190) 10341000x800000000000000034632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:40.931{72106695-ED09-63D0-1F00-00000000BB02}20003952C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1200-00000000BB02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AEDA190) 10341000x800000000000000034631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:40.925{72106695-ED09-63D0-1F00-00000000BB02}20003952C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1100-00000000BB02}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AEDA190) 10341000x800000000000000034630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:40.918{72106695-ED09-63D0-1F00-00000000BB02}20003952C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1000-00000000BB02}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AEDA190) 10341000x800000000000000034629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:40.914{72106695-ED09-63D0-1F00-00000000BB02}20003952C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0F00-00000000BB02}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AEDA190) 10341000x800000000000000034628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:40.907{72106695-ED09-63D0-1F00-00000000BB02}20003952C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0E00-00000000BB02}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AEDA190) 10341000x800000000000000034627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:40.901{72106695-ED09-63D0-1F00-00000000BB02}20003952C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0D00-00000000BB02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AEDA190) 10341000x800000000000000034626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:40.895{72106695-ED09-63D0-1F00-00000000BB02}20003952C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AEDA190) 10341000x800000000000000034625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:40.886{72106695-ED09-63D0-1F00-00000000BB02}20003952C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0B00-00000000BB02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AEDA190) 10341000x800000000000000034624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:40.884{72106695-ED09-63D0-1F00-00000000BB02}20003952C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0900-00000000BB02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AEDA190) 23542300x800000000000000034623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:40.417{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5F9A8DD3A1974CBB1730D8BE89A2ED7,SHA256=C09914B0A0E9FEC4F0F533149F2798CA521FCDFD87768114902031A9548EE2A6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:40.301{45AAC21C-ED4E-63D0-9300-00000000BA02}1336888C:\Windows\Explorer.EXE{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+7d960|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF801D850B2A8)|UNKNOWN(FFFFC72308993998)|UNKNOWN(FFFFC72308993B17)|UNKNOWN(FFFFC7230898E1A1)|UNKNOWN(FFFFC7230898FB6A)|UNKNOWN(FFFFC7230898DE26)|UNKNOWN(FFFFF801D817FC03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+811bb|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd 10341000x800000000000000076858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:40.301{45AAC21C-ED4E-63D0-9300-00000000BA02}1336888C:\Windows\Explorer.EXE{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7d441|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF801D850B2A8)|UNKNOWN(FFFFC72308993998)|UNKNOWN(FFFFC72308993B17)|UNKNOWN(FFFFC7230898E1A1)|UNKNOWN(FFFFC7230898FB6A)|UNKNOWN(FFFFC7230898DE26)|UNKNOWN(FFFFF801D817FC03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+811bb|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000076857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:40.301{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF3bfa2f.TMPMD5=4DF8043D988875F196E7170EB48ADC55,SHA256=C4660FA4B1BB90DD96D9F3B0818855B399BF0E5C3D38653DC439DAD480C79018,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:41.997{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA5EE2E3DD67E0231EA4E92EBBA7179C,SHA256=9158AA39443BBB4AFAF193BD5FB79CDF47B31D9D4B95C2D55EE5561189C45517,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:41.783{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04B7D76FE6E6520AD1D3918288A50807,SHA256=88B37C7084E77F9CA13FDC7881EC61E3B4349F4A45674BFC09E99DB000416353,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:37.985{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50480-false10.0.1.12-8000- 10341000x800000000000000076888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:41.570{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2E00-00000000BA02}2692C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:41.566{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:41.563{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2B00-00000000BA02}2664C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 354300x800000000000000076885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:38.744{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49379-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000076884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:41.254{45AAC21C-ED0A-63D0-0D00-00000000BA02}9041244C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2B00-00000000BA02}2664C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:41.254{45AAC21C-ED0A-63D0-0D00-00000000BA02}9041244C:\Windows\system32\svchost.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:41.140{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:41.134{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:41.127{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:41.098{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2700-00000000BA02}2576C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:41.094{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2600-00000000BA02}2568C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:41.087{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2500-00000000BA02}2484C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:41.084{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED14-63D0-2300-00000000BA02}2340C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:41.083{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1800-00000000BA02}1992C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:41.081{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1700-00000000BA02}1492C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:41.075{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1600-00000000BA02}1324C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:41.063{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1500-00000000BA02}1152C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:41.055{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1400-00000000BA02}344C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:41.047{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1300-00000000BA02}364C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:41.037{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1200-00000000BA02}408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:41.022{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1100-00000000BA02}704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000034652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:41.032{72106695-ED09-63D0-1F00-00000000BB02}20003952C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FB5F-63D0-3102-00000000BB02}3068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AEDA190) 10341000x800000000000000034651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:41.029{72106695-ED09-63D0-1F00-00000000BB02}20003952C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED83-63D0-8200-00000000BB02}508C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AEDA190) 10341000x800000000000000034650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:41.025{72106695-ED09-63D0-1F00-00000000BB02}20003952C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED1B-63D0-6D00-00000000BB02}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AEDA190) 10341000x800000000000000034649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:41.023{72106695-ED09-63D0-1F00-00000000BB02}20003952C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AEDA190) 10341000x800000000000000034648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:41.022{72106695-ED09-63D0-1F00-00000000BB02}20003952C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-4000-00000000BB02}1980C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AEDA190) 10341000x800000000000000034647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:41.019{72106695-ED09-63D0-1F00-00000000BB02}20003952C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-3C00-00000000BB02}2964C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AEDA190) 10341000x800000000000000034646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:41.018{72106695-ED09-63D0-1F00-00000000BB02}20003952C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2B00-00000000BB02}2876C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AEDA190) 10341000x800000000000000034645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:41.017{72106695-ED09-63D0-1F00-00000000BB02}20003952C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2600-00000000BB02}2596C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AEDA190) 10341000x800000000000000034644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:41.011{72106695-ED09-63D0-1F00-00000000BB02}20003952C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2500-00000000BB02}2436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AEDA190) 10341000x800000000000000034643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:41.002{72106695-ED09-63D0-1F00-00000000BB02}20003952C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2200-00000000BB02}1172C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AEDA190) 23542300x800000000000000034655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:42.675{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7156366C52F7D676401FF5B29FB4C72,SHA256=89D822ECA4F148A55B21A00A726D3C0B48DBD400D5AC6D02C10A2684069C31FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:42.919{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FC62-63D0-9503-00000000BA02}2992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:42.916{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:42.916{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:42.916{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:42.916{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:42.916{45AAC21C-ED08-63D0-0500-00000000BA02}420436C:\Windows\system32\csrss.exe{45AAC21C-FC62-63D0-9503-00000000BA02}2992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000076891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:42.915{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FC62-63D0-9503-00000000BA02}2992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000076890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:42.915{45AAC21C-FC62-63D0-9503-00000000BA02}2992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:43.749{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64AEF5424194E1DF0E9DCD0A7C69B3F9,SHA256=9855E7891C4B2D471F86DD46F387116E4D534221E48BE3EBA83C2FBCEAFE87F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:43.885{45AAC21C-ED18-63D0-2C00-00000000BA02}2672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=CE54583AFB8B73BFD723C5E206B18656,SHA256=52B6F44AA60DDCC9F15B5A4846F0762AD963B5BF6A0928E327C8F33583FB5CC9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:43.619{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:43.618{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:43.618{45AAC21C-ED08-63D0-0B00-00000000BA02}636308C:\Windows\system32\lsass.exe{45AAC21C-ED0A-63D0-1000-00000000BA02}444C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:43.603{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3300-00000000BA02}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:43.601{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3100-00000000BA02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:43.599{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2F00-00000000BA02}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:43.599{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED5C-63D0-A400-00000000BA02}5320C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:43.589{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FC63-63D0-9603-00000000BA02}7528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:43.586{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:43.586{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:43.586{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:43.586{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:43.586{45AAC21C-ED08-63D0-0500-00000000BA02}420536C:\Windows\system32\csrss.exe{45AAC21C-FC63-63D0-9603-00000000BA02}7528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000076905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:43.585{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FC63-63D0-9603-00000000BA02}7528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000076904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:43.585{45AAC21C-FC63-63D0-9603-00000000BA02}7528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000076903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:43.145{45AAC21C-FC62-63D0-9503-00000000BA02}29927088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000076902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:43.067{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33B7A8088A62C37A8A33A214556992EE,SHA256=3A2A82C28823B1E5CB2586D2B50B7C7EB63CDFC7251DD5EB9D1D4A4FCD917081,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:43.067{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FC62-63D0-9503-00000000BA02}2992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:43.067{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FC62-63D0-9503-00000000BA02}2992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:43.067{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FC62-63D0-9503-00000000BA02}2992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:43.067{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FC62-63D0-9503-00000000BA02}2992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000034657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:44.830{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA3C84BF47B85D99E358ADCE4F534244,SHA256=4C2CA78C17BDB9BAF8BFE15BADF286CFA27A6024335298536E6D43DA21E0BEBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:44.520{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=202B3600D888BEABAC0E5DB74D85DA05,SHA256=5E8525816E1AAE1A501704589FD1373675D756851848F17C7BC37EB060928CAA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:44.325{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99E-63D0-4403-00000000BA02}4716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:44.322{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4303-00000000BA02}220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:44.319{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4203-00000000BA02}8108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:44.316{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99C-63D0-4103-00000000BA02}4940C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:44.313{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F998-63D0-3F03-00000000BA02}6856C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:44.311{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F993-63D0-3A03-00000000BA02}5848C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:44.307{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F990-63D0-3703-00000000BA02}5072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:44.304{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F990-63D0-3603-00000000BA02}7836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:44.301{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3403-00000000BA02}8152C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:44.298{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3303-00000000BA02}5868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:44.296{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3203-00000000BA02}1380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:44.286{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3103-00000000BA02}7700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:44.261{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:44.238{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:44.237{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A202-00000000BA02}5720C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:44.234{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A102-00000000BA02}7492C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:44.228{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FC64-63D0-9703-00000000BA02}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:44.228{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F3FF-63D0-5202-00000000BA02}7716C:\Program Files\Process Hacker 2\ProcessHacker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:44.226{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:44.226{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:44.225{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:44.225{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:44.225{45AAC21C-ED08-63D0-0500-00000000BA02}420436C:\Windows\system32\csrss.exe{45AAC21C-FC64-63D0-9703-00000000BA02}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000076936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:44.224{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FC64-63D0-9703-00000000BA02}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000076935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:44.224{45AAC21C-FC64-63D0-9703-00000000BA02}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000076934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:44.224{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED93-63D0-C200-00000000BA02}5684C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:44.199{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:44.186{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:44.160{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:44.151{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-8E00-00000000BA02}432C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:44.140{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4D-63D0-8900-00000000BA02}4888C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:44.135{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED36-63D0-8100-00000000BA02}4176C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:44.132{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED35-63D0-7F00-00000000BA02}3432C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:44.129{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED2C-63D0-7B00-00000000BA02}532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:44.125{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:44.124{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1B-63D0-4500-00000000BA02}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:44.120{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-4100-00000000BA02}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000076922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:44.119{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-3800-00000000BA02}3276C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 23542300x800000000000000076921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:44.085{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EEF64578918939BA3CC872BB47383E7,SHA256=8EF01063BFFDB7F44F4E254BA53562A146CA0B4FD376058A7B55CBF882DFB21B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000076920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:44.018{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A1F8FB7864CB1B55C30302A807A6E3B0,SHA256=8CBBFCD86A09641D63FE30223BB86B993D5DD559DC2AF710D7FFECA85D597C72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:45.904{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E31653DFFE09039E5848CD09F20BF509,SHA256=D6FBF414BFFB7F181F931180BA897554B4D8835C66BDC6AE1956EBB43F551E18,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:43.636{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local49380-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x800000000000000076962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:43.636{45AAC21C-ED18-63D0-2700-00000000BA02}2576C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local49380-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 23542300x800000000000000076961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:45.350{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13894E4B9AC1ABCC58F8D04701B323A2,SHA256=25F2F04B3DBE9040DB706FFC5B2AD62C5FF1BFD4D47D2430F7EDE1002DA86960,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:43.094{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50481-false10.0.1.12-8000- 10341000x800000000000000076977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:46.488{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FC66-63D0-9803-00000000BA02}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000076976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:46.488{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FC66-63D0-9803-00000000BA02}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000076975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:46.488{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FC66-63D0-9803-00000000BA02}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000076974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:46.486{45AAC21C-FC66-63D0-9803-00000000BA02}65845412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000076973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:46.374{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=459E92EDD7DDCFD29B7C4515ADEBE6AE,SHA256=5D18B158CAE460A98BD9CB9C87CE0F58D3D491A440696907CA6B89A52AB1DC7A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000076972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:43.871{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49381-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000076971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:46.205{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FC66-63D0-9803-00000000BA02}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:46.205{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:46.205{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:46.205{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:46.205{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:46.205{45AAC21C-ED08-63D0-0500-00000000BA02}420436C:\Windows\system32\csrss.exe{45AAC21C-FC66-63D0-9803-00000000BA02}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000076965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:46.205{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FC66-63D0-9803-00000000BA02}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000076964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:46.206{45AAC21C-FC66-63D0-9803-00000000BA02}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000076996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:47.992{45AAC21C-FC67-63D0-9A03-00000000BA02}44884360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:47.737{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FC67-63D0-9A03-00000000BA02}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:47.735{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:47.734{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:47.734{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:47.734{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:47.734{45AAC21C-ED08-63D0-0500-00000000BA02}420536C:\Windows\system32\csrss.exe{45AAC21C-FC67-63D0-9A03-00000000BA02}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000076989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:47.733{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FC67-63D0-9A03-00000000BA02}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000076988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:47.733{45AAC21C-FC67-63D0-9A03-00000000BA02}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000076987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:47.499{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCEF6F768AAB2F4BA268715508A8A8CA,SHA256=AD25E86F4EB964F23E8E62E9A2D0CB975127738F8B28ABA1CFA7712D1EA87572,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:47.460{45AAC21C-FC67-63D0-9903-00000000BA02}29206504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000034660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:47.005{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0D1765012A970BC6CE382A72965B128,SHA256=0602E39FF7B30B7D7E18B095B681329BB4DDD8D93CB5FF83935402910ACBEC2E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000076985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:47.227{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FC67-63D0-9903-00000000BA02}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:47.224{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:47.224{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:47.224{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:47.224{45AAC21C-ED08-63D0-0500-00000000BA02}420788C:\Windows\system32\csrss.exe{45AAC21C-FC67-63D0-9903-00000000BA02}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000076980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:47.224{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:47.223{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FC67-63D0-9903-00000000BA02}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000076978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:47.223{45AAC21C-FC67-63D0-9903-00000000BA02}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000076997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:48.615{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CACAC2DBDFD5345F24C87DBD7A883EA7,SHA256=8C1441D9C0BDDB1CD9AD8113174EE5F9D0CCF7360AFA76323EE7E3660AC5ACFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:48.087{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A490D96B2D6D2184D11EC3C7A178D1DE,SHA256=AD0D3252AE1A39B480A3DA305E5AEB4F80449BA426BDE42FB697A68F174628C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:49.893{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FC69-63D0-9B03-00000000BA02}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:49.893{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:49.893{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:49.893{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:49.893{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:49.893{45AAC21C-ED08-63D0-0500-00000000BA02}420788C:\Windows\system32\csrss.exe{45AAC21C-FC69-63D0-9B03-00000000BA02}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000077000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:49.893{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FC69-63D0-9B03-00000000BA02}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000076999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:49.895{45AAC21C-FC69-63D0-9B03-00000000BA02}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000076998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:49.739{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D4191003105D3ECEFAEEBE5D8008B60,SHA256=316DBB213A81568C2DE3F3A71653DA4EBF20EE4FBB46E010B99E94B69FE72894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:49.154{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5317E40858F9DFA5FBDB2950498D4D05,SHA256=E5549B6623ADD27C5094AD2EA00CE290D809B969AF77A5DB4F5EBDA6A559E176,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:50.947{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=05481C1CB733F80D716742C6D2D52254,SHA256=50E2641A50FB54870F346E7B52112A2EA0FE3D950C3ADAF915EEDC27685BB19A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:50.847{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17DB86DCBDAECDE8C3B3D9FE1C4341F1,SHA256=E828FC2D374F021334C74D4526AC45CC5BA01FE7DF5C89B143DD295E38A88785,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:50.236{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6224F0AEE6D43FE198D4E5E2E81333A,SHA256=0AB77711C30A062487E68CB2889C462943E5749B97BEDFD19457066C15D4C330,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:50.072{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FC69-63D0-9B03-00000000BA02}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:50.072{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FC69-63D0-9B03-00000000BA02}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:50.072{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FC69-63D0-9B03-00000000BA02}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:50.072{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FC69-63D0-9B03-00000000BA02}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000077014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:51.921{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A86679A232CD87E9CECB9080436C1B4E,SHA256=31E6B4CA96656D74A4B63B9E7E9009F8A71EDEC5993DF46B3C11E4EDF572F0CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:49.054{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50482-false10.0.1.12-8000- 23542300x800000000000000034664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:51.309{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0988322110F597ECCF79896B8DFD87D,SHA256=C4134F4FA71D59CD7309C1CC94950F5DBE96417652FB38DBE1431FAED5D550C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:49.811{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49382-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000077015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:52.949{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5712C6AA3240CAFF0AA389A63EF2CDBF,SHA256=5D24353D00F26AA9F81BD757031CCA9EAC182505E26DD5D7A1509BAAB78033B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:52.923{72106695-ED09-63D0-1C00-00000000BB02}1892NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\respondent-20230125084915-063MD5=4A845FE96E1CB901D2D7264E475C5D0A,SHA256=805658FE4E43678F2368D193C16F752D5AE58460E17C63B3F32526AFB5DF27A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:52.381{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25A9ECE6F56A38C793143DE1ADBC767E,SHA256=3E4B5D15931629AFD404699CFA83665E8DE404356492ACA9FE2416C8F9B0D97D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:53.974{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=269E05D0C745B77F8D6AE08FB5430516,SHA256=9C0D5C3FA48D3A915FE8955C7B47E005EA1566A9F60C223D37AF7F0FC06098A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:53.926{72106695-ED09-63D0-1C00-00000000BB02}1892NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\surveyor-20230125084913-064MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:53.556{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E1A38EDA0DAC759EAFDC944F0A853E9,SHA256=CB665A9877942C532F4C12F78FA636136A59397BED3F083337B6E03148730D1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:54.991{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB4268A526B4C591DE99156C349A6E4F,SHA256=E1FA25197395D4D186260D6C16F261D8568F81556F67342585B5D1A0E1968F80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:54.632{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=396DF12FE39DAC92FD87935DD4E60E01,SHA256=0A35F206D9191FA5FBF8E7822041F22EC8422D22125ADC90C41CC4E2D664ADD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:55.724{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1769CBEBEF412F9A65B6C3278F9D53A2,SHA256=E2AC44B53BE053449F300E1F03AA37D02756FF616B4F07BD4A8491AA116CC9A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:56.798{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6772065867A1EDDC87558088B512669,SHA256=1923D181E7EE21696C97612674BD15B47658A0AE2E8974E27F4D8CC359B38B69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:56.107{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9240CCFB0481DB1DEA9BE813D377F0F5,SHA256=46EE1C3CB049C8605E979AC10F260670B958F721A548E74240C4A9C443195918,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:57.881{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0579D63030026BFBD31A8940F07D9140,SHA256=172AD5A1F17F79679ADE27D5394F9408EB34003BEC27ED661609ED59E9E2FCF1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:55.743{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49383-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000077019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:57.209{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2D1D67819A81ED22A5912FD2ED071C0,SHA256=68593732728395DFB51381FB3B7EE8FA23301E12D720C540B434F4B330F12F8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:58.965{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F159C5A9344DBF9F56449E757F266A7C,SHA256=54AC374753049FB0FFF25AA6338722F374E37EE0E0D11057E9066D9CE048AAB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:58.328{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=580C73BECD29AAEB12EA9E9E09AEFF1C,SHA256=6310CD72AF033700474FA07400EAAFE725211C6BA060677766520D894CB6EFFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:58.519{72106695-ED09-63D0-2000-00000000BB02}2008NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=479755B96F8CE951C8292DAEDF3465B7,SHA256=F2E14C1990F77549CD3579FD91915EAEC6FD87E0B58A6BFDF108C308FA7B9B33,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:54:54.149{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50483-false10.0.1.12-8000- 23542300x800000000000000077022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:54:59.429{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=978BBCA3FC51A0D31D61888226DEB09A,SHA256=2776BB241ED3E1FAF510DEE6C53AD4D9DF1C22BD6A67DCEEE9707BC4A7230E04,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:00.997{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1600-00000000BA02}1324C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:00.985{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1500-00000000BA02}1152C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:00.978{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1400-00000000BA02}344C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:00.967{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1300-00000000BA02}364C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:00.956{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1200-00000000BA02}408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:00.949{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1100-00000000BA02}704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:00.909{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1000-00000000BA02}444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:00.890{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0F00-00000000BA02}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:00.882{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0E00-00000000BA02}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:00.869{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0D00-00000000BA02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:00.861{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0C00-00000000BA02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:00.815{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:00.812{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0900-00000000BA02}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 23542300x800000000000000077023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:00.533{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=263F9C035283E9E7F541CC77C5990B14,SHA256=F8A52EC9484499C3D589035B272DD7B71F4F20DC5C06954B6A792123BFB0E275,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:00.996{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2200-00000000BB02}1172C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:00.993{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:00.985{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:00.983{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1C00-00000000BB02}1892C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:00.982{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1A00-00000000BB02}1856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:00.976{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1800-00000000BB02}1732C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:00.973{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1700-00000000BB02}1240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:00.964{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1600-00000000BB02}1192C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:00.945{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1500-00000000BB02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:00.940{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1400-00000000BB02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:00.933{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1300-00000000BB02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:00.927{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1200-00000000BB02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:00.921{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1100-00000000BB02}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:00.916{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1000-00000000BB02}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:00.911{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0F00-00000000BB02}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:00.903{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0E00-00000000BB02}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:00.898{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0D00-00000000BB02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:00.893{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:00.887{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0B00-00000000BB02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:00.885{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0900-00000000BB02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x800000000000000034677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:00.045{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0F8A98F766F2A7E100C8BAF7B5B9639,SHA256=74E4A5A9952CF838C74DE89CF2EB0637F1876D2C36493165F73336ABD2728BD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:01.585{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=270A89058123E87F37A12BA1172B7B9E,SHA256=56B759E2D2E9433EB0FACB8F6EE37C4C527873E1C20236E72D19C83B2AF54437,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:01.549{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2E00-00000000BA02}2692C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:01.545{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:01.541{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2B00-00000000BA02}2664C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 23542300x800000000000000034707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:01.440{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34A3CE1EAE87A2F7E603C9108FA92EC9,SHA256=4751C4164F7F6EDBBB121697B55BAD544604AA5FD40D4C37B616CF5220AFC438,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:01.066{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:01.058{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:01.050{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:01.027{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2700-00000000BA02}2576C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:01.026{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2600-00000000BA02}2568C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:01.011{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2500-00000000BA02}2484C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:01.008{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED14-63D0-2300-00000000BA02}2340C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:01.006{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1800-00000000BA02}1992C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:01.003{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1700-00000000BA02}1492C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000034706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:01.010{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FB5F-63D0-3102-00000000BB02}3068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:01.008{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED83-63D0-8200-00000000BB02}508C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:01.006{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED1B-63D0-6D00-00000000BB02}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:01.004{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:01.004{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-4000-00000000BB02}1980C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:01.002{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-3C00-00000000BB02}2964C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:01.001{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2B00-00000000BB02}2876C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:01.000{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2600-00000000BB02}2596C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000034698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:00.999{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2500-00000000BB02}2436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x800000000000000077050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:02.688{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5CAFEC13C9D97B2070A989C9D37364D,SHA256=4626EA3F6359A429EA132B687F8CB9A8A65B8F0DB8849F0B614DDBABE7C8DF0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:02.532{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72068648A4CEA2A49107CFD0A14AE110,SHA256=94B80DDDE1A5F7BE7DD7DF9C26D5DDE4AC61111D57702DED2C159A2A47E9B42D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:03.714{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95717BD63C2FCF6231CF90F7E3942030,SHA256=CCABFF5838629C3B09AD8C4D01217C43D8DE669B411D016422E96A320FCE7B74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:03.614{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AA116389B063459713539EEF5B1E638,SHA256=26D7DB68B0B569A378829ACC61E1A4164F7F13F32ABCF383E6258D666690C0DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:01.669{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49384-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000077053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:03.593{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3300-00000000BA02}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:03.591{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3100-00000000BA02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:03.589{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2F00-00000000BA02}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 354300x800000000000000034709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:00.042{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50484-false10.0.1.12-8000- 23542300x800000000000000077086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:04.968{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=000371D34DA99CF3C5CE4AB32F24F2C8,SHA256=95306BC4F98EBB5F95B54697D1484BAADA890148C6344C38606D937BB6D3D2E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:04.720{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FC8326FCD610AF90D0AA667619034F8,SHA256=FAC63DE5B40B80FFE2937950442F7C2FE9404ECAB8942AB687CA7A02F2CBAE28,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:04.552{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99E-63D0-4403-00000000BA02}4716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:04.545{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4303-00000000BA02}220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:04.541{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4203-00000000BA02}8108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:04.537{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99C-63D0-4103-00000000BA02}4940C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:04.528{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F998-63D0-3F03-00000000BA02}6856C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:04.521{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F993-63D0-3A03-00000000BA02}5848C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:04.509{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F990-63D0-3703-00000000BA02}5072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:04.501{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F990-63D0-3603-00000000BA02}7836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:04.487{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3403-00000000BA02}8152C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:04.477{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3303-00000000BA02}5868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:04.470{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3203-00000000BA02}1380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:04.432{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3103-00000000BA02}7700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:04.355{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:04.328{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:04.325{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A202-00000000BA02}5720C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:04.322{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A102-00000000BA02}7492C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:04.307{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F3FF-63D0-5202-00000000BA02}7716C:\Program Files\Process Hacker 2\ProcessHacker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:04.296{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED93-63D0-C200-00000000BA02}5684C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:04.259{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:04.239{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:04.187{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:04.172{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-8E00-00000000BA02}432C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:04.149{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4D-63D0-8900-00000000BA02}4888C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:04.134{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED36-63D0-8100-00000000BA02}4176C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:04.132{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED35-63D0-7F00-00000000BA02}3432C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:04.124{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED2C-63D0-7B00-00000000BA02}532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:04.116{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:04.114{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1B-63D0-4500-00000000BA02}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:04.110{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-4100-00000000BA02}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:04.107{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-3800-00000000BA02}3276C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 23542300x800000000000000034712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:05.794{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=032D0D6EBCAECBD7B215D3C6477AF714,SHA256=FF58C3E1580991490AC402203C35F13A81372140D08C41CB1C5BAEB9A699DCB1,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000077091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-25 09:55:05.309{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\90005E51-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_90005E51-0000-0000-0000-100000000000.XML 13241300x800000000000000077090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-25 09:55:05.309{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\3043171C-3022-4C0A-A8DB-5CE9390B74BF\Config SourceDWORD (0x00000001) 13241300x800000000000000077089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-25 09:55:05.309{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\3043171C-3022-4C0A-A8DB-5CE9390B74BF\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_3043171C-3022-4C0A-A8DB-5CE9390B74BF.XML 10341000x800000000000000077088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:05.292{45AAC21C-ED08-63D0-0B00-00000000BA02}6367276C:\Windows\system32\lsass.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:05.292{45AAC21C-ED08-63D0-0B00-00000000BA02}6367276C:\Windows\system32\lsass.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000034713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:06.884{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=326BE83ED251B7128A6F9238E04DAA59,SHA256=56EA744A0C5511D0B301B43AA7AFC48566327CBC85E378D4DBAFD9A4F13A2679,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:04.962{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local52628- 354300x800000000000000077099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:04.961{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local58478-false10.0.0.2ip-10-0-0-2.us-east-2.compute.internal53domain 354300x800000000000000077098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:04.960{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local64459- 354300x800000000000000077097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:04.930{45AAC21C-ED0A-63D0-0D00-00000000BA02}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local49385-truefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local135epmap 354300x800000000000000077096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:04.930{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local49385-truefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local135epmap 10341000x800000000000000077095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:06.170{45AAC21C-ED08-63D0-0B00-00000000BA02}636308C:\Windows\system32\lsass.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:06.170{45AAC21C-ED08-63D0-0B00-00000000BA02}636308C:\Windows\system32\lsass.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:06.170{45AAC21C-ED08-63D0-0B00-00000000BA02}636308C:\Windows\system32\lsass.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000077092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:06.033{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DEA514ACC6E69D7142DFF1650B46576,SHA256=ECFDB8696CF8266B39AE57C0C09094C52E96FE431906AEE7D76537EDF5A4B563,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:07.964{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2A5AC672B9359CC4DE1642BD6EECC3B,SHA256=2FE39A5200930AC3BF4A03E06A4A862CC8F657571434C103059BE3DF4B168F35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:07.628{45AAC21C-ED18-63D0-2F00-00000000BA02}2700NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\respondent-20230125084931-063MD5=FB1204BD5E1FCB9F00F3D30191CDD410,SHA256=AD3DE377B45C073DC7811942D8C17D2EDF88FCE93F4C4FD49345F5808DA79585,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:05.805{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49386-false10.0.1.14win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x800000000000000077108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:05.805{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49386-false10.0.1.14win-dc-ctus-attack-range-460.attackrange.local389ldap 23542300x800000000000000077107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:07.270{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B54E9B9937D06C23DA69DDFBC310D294,SHA256=0A44297BA3B458791FCBC15C61B39AF1ACBC3B8DBB43FC8EF355339D7ABB0C33,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:07.193{45AAC21C-ED08-63D0-0B00-00000000BA02}636308C:\Windows\system32\lsass.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:07.193{45AAC21C-ED08-63D0-0B00-00000000BA02}636308C:\Windows\system32\lsass.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000077104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:07.178{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72F39FB14A8BF944FA9324A178C30B8E,SHA256=8B690F05789208F26842111A0C89F733A63AFE6700A0F143E0CA9D9F2C96DF62,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:07.014{45AAC21C-ED08-63D0-0B00-00000000BA02}6367276C:\Windows\system32\lsass.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:07.014{45AAC21C-ED08-63D0-0B00-00000000BA02}6367276C:\Windows\system32\lsass.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:07.014{45AAC21C-ED08-63D0-0B00-00000000BA02}6367276C:\Windows\system32\lsass.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000077115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:08.627{45AAC21C-ED18-63D0-2F00-00000000BA02}2700NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\surveyor-20230125084929-064MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:06.745{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49388-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000077113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:06.650{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49387-false10.0.1.14win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x800000000000000077112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:06.650{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49387-false10.0.1.14win-dc-ctus-attack-range-460.attackrange.local389ldap 23542300x800000000000000077111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:08.294{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=835B92BAB2BABBB4EECCFC2E63032D9B,SHA256=8E186FA7CDCC49116B858636118189BC55A5E9E430919A82F74161C761095B21,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:05.121{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50485-false10.0.1.12-8000- 23542300x800000000000000077116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:09.372{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BB8E21A972036B9BF548697F7C0A98F,SHA256=81A27EAEFAE0410FB41405AE0CAC5E51348A59F844741BBAEBEA86C159C00423,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:09.033{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5524D37B41C675EE0BD7679D55D9CCFB,SHA256=C11F23025B4DA4D96724768ACACEFF60CADFA2680B622AEC20A8976DD4489369,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:10.472{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F85C42F148D96E4BF9758AAF1A46E383,SHA256=85479E3E5DD96E80F7EAD0D77B3995F7399F7DF0D0D1A75D2300C275FAA023BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:10.113{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3217CE5AAA2351110E798A45883A8DF9,SHA256=FEB6A261B04B5C3C3327FB13CD468AFB1BFDD0DC30BD431ED65F1C79DAABB004,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:11.547{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBC95976D233F65E88CD0C59081CB092,SHA256=5BF5B6C3DA904AAAD8BB25C48C5BAF640E18F83602C96C141FBA9F3A193A6632,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:11.196{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F556FA25748E36CD570DFB002241A5BC,SHA256=1093668BAF92829AB22D5D8C81D084E3B3C34BB575E4CFD0B00395D050ED6C30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:12.648{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E80C087471E91D5EA8F08818E4E23A7,SHA256=8F39A6FBE677F6AF21701743D9C4C209A149831C1525E1795A35CA0265E2737E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:12.276{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E9FBB62FDB3BEEFC70E8B2857292649,SHA256=1723E350BEA9FF1E7FF1F5F4BCAB5E857F212F3AE4C1BE2CD7886F76E853EF95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:13.950{45AAC21C-ED18-63D0-2C00-00000000BA02}2672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=8A32C1C257278D453435535CFFC62A73,SHA256=77AFBFF5E84E11FC5857DE4E8BE1628BE88DD0AA23A3FE4F773AC8BB9DB842B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:13.726{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72F8445DD62DFB484E901C6551C92F16,SHA256=356F67F8D99D7ACFAB29F89A6D9B0E825D9EEADB69001812532A71AB06B7FD88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:13.365{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BCA071F75B2F1C29009C6426C853092,SHA256=B38CB102932311B3F3BF1423A725ACF35B5F5BF4B4208CDC61ACEE109C7B7A5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:14.803{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4900DAD538AB3BC8A7BA47D7B2A07A46,SHA256=50B4BB307DC96A88A1DE38F9761FDF53100669F2D5B9BE2E53E637DDC38D212B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:14.621{72106695-ED08-63D0-1100-00000000BB02}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E778CDDD9AAEA8C3EBBCCF8991279B2A,SHA256=DF39F025FE6B68763B8BC5894D51A96B4EAC54F04D0A85BDC480383EBA2A6AC5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:10.953{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50486-false10.0.1.12-8000- 23542300x800000000000000034721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:14.440{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91E256E0143472DF201B63FBDC0C9F38,SHA256=A658C77B77105FB5B8F8EF894EED4F563739D5BA31CD67B26D40E534015D26F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:12.694{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49389-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000077125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:15.890{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8D8D4AC2832CC57B360202894519C66,SHA256=1B205389C9B01D764D32DCC6300EF5ECC204DD48F4E942F2FC989368AB487954,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:15.883{45AAC21C-ED0A-63D0-1100-00000000BA02}704NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=465A77A986BE272E6913049B746D7929,SHA256=AD1232BCA9BF9AB5CBEB4FABAF1BA09DD493350C4B755B6E1A8A326DFAF424D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:15.515{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F509A82107B23E14F46796EF02BF26E,SHA256=48356C34F7E5074B2A78FE50C12FD960D126D829CCC5EF0BBB628E43B9915BD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:16.908{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=1E2AB333A6AE99628CDBA20125F63BB2,SHA256=EFE03AD3738303BF7DB73875EE3054538A0AE23B88964DEC7383B82648B6EFB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:16.908{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F7255430AC6016A30B1F4558C18B7B1,SHA256=3B4659EA5C65E49C17932815708963DEF95E53F9334AF83D398F07ACB739F880,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:16.597{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2918ADB2A2CD7531AC10DBBF1F1412EB,SHA256=EF0E7E20048C415EC258C49EE5D15456609F24E31BD3890F515F3E64CED48168,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:17.687{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72F75042B54210539EA18B4336056375,SHA256=8829046A047485203F4F16291FC019D8316EF0B902FBA58CD9146EAB68C428B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:18.765{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5645E34FFCBF25E793BEDC1B65F9FFF4,SHA256=2FC84888ABC7C4183B8D7AD31399C28C31FC1B625D91A64F7E8638D646E01C75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:18.388{45AAC21C-ED18-63D0-2C00-00000000BA02}2672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:18.028{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DCDE2998F4C628C16487D73405EA099,SHA256=A83C2DFE6F3CE75B42E4CEDA9220D0BABEF9E376A0173344B7862A1D63EA2FC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:19.843{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD2C406E5B8139657F6459A5BD84B13F,SHA256=631479BE607B7C3DC08DDCFD9189BE4D4935A6567265BB1BB2131EB19A9D1018,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:17.994{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49391-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x800000000000000077131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:17.878{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49390-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000077130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:19.112{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9819BFF3956B1E344B0284C28F26C412,SHA256=C86F57FAFD781A86E6180216051FCC5932239D8E2818310F7E653C1EED6969A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:16.103{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50487-false10.0.1.12-8000- 10341000x800000000000000034747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:20.997{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1C00-00000000BB02}1892C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000034746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:20.996{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1A00-00000000BB02}1856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000034745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:20.990{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1800-00000000BB02}1732C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000034744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:20.987{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1700-00000000BB02}1240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000034743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:20.976{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1600-00000000BB02}1192C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000034742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:20.948{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1500-00000000BB02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000034741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:20.942{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1400-00000000BB02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000034740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:20.934{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1300-00000000BB02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000034739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:20.927{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1200-00000000BB02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 23542300x800000000000000034738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:20.921{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCBA75FBA3D61C011B3E6DED01056EEB,SHA256=8A169CA8B99F322C27E15A021CD7442708D1E60F90BA62488890071A1ECD07AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:20.918{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1100-00000000BB02}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000034736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:20.912{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1000-00000000BB02}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000034735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:20.904{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0F00-00000000BB02}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000034734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:20.897{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0E00-00000000BB02}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000034733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:20.891{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0D00-00000000BB02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000034732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:20.888{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000034731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:20.884{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0B00-00000000BB02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000034730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:20.878{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0900-00000000BB02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000077141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:20.957{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1000-00000000BA02}444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000077140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:20.934{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0F00-00000000BA02}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000077139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:20.919{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0E00-00000000BA02}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000077138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:20.903{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0D00-00000000BA02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000077137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:20.887{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0C00-00000000BA02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000077136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:20.815{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000077135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:20.812{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0900-00000000BA02}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000077134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:20.318{45AAC21C-ED0A-63D0-0D00-00000000BA02}9041244C:\Windows\system32\svchost.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000077133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:20.133{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75881810DCB516967FF328BE1488CC73,SHA256=9EB045C56918BE9DA48C55D047595AC48B164E10D8B5A5461FAF7CED07C02E6F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:21.215{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 23542300x800000000000000077156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:21.209{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B2A596C6297F22464435957E66E5C5D,SHA256=91F604F74278F67E1EC9EDD5B45E4F92358E23E07186BDA80AE54348C6EBCB87,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:21.202{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000077154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:21.188{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000077153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:21.152{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2700-00000000BA02}2576C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000077152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:21.149{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2600-00000000BA02}2568C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000034759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:21.044{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FB5F-63D0-3102-00000000BB02}3068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000034758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:21.041{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED83-63D0-8200-00000000BB02}508C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000034757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:21.038{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED1B-63D0-6D00-00000000BB02}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000034756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:21.035{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000034755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:21.034{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-4000-00000000BB02}1980C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000034754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:21.025{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-3C00-00000000BB02}2964C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000034753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:21.022{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2B00-00000000BB02}2876C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000034752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:21.020{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2600-00000000BB02}2596C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000034751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:21.017{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2500-00000000BB02}2436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000034750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:21.014{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2200-00000000BB02}1172C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000034749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:21.010{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000034748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:21.000{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000077151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:21.130{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2500-00000000BA02}2484C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000077150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:21.117{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED14-63D0-2300-00000000BA02}2340C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000077149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:21.112{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1800-00000000BA02}1992C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000077148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:21.105{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1700-00000000BA02}1492C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000077147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:21.090{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1600-00000000BA02}1324C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000077146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:21.066{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1500-00000000BA02}1152C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000077145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:21.056{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1400-00000000BA02}344C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000077144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:21.040{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1300-00000000BA02}364C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000077143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:21.017{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1200-00000000BA02}408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000077142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:21.004{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1100-00000000BA02}704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 23542300x800000000000000034760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:22.319{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5057F48E2CB1849C18495CB73CC050A,SHA256=C77DAA2EBCD513F52A2A1E776BD4AAB23287867439BCF54EF58D13D19ED12DEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:22.223{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0186D4D98737648D091959443DE00C4E,SHA256=F3EA3D8ECF6F63F955925856E6E1F2101596D1D87741126CC3DD08E47BB627BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:22.054{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2E00-00000000BA02}2692C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000077159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:22.042{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000077158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:22.028{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2B00-00000000BA02}2664C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 23542300x800000000000000034765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:23.415{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D05FCEEFFB4C00AB3498A98BA03006D,SHA256=EE74C0F0FEE39A2AD6C28F42E1D197F50635A3A5E6EEF92A4183746899F547CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:23.325{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28CCDE97F93D8B008FCBB7630A4FC81D,SHA256=4D9C3FD53549B08B42DC28BE5CD7547027E171A0EA475348DE574BAA66E27979,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:23.230{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED08-63D0-0B00-00000000BB02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:23.230{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED08-63D0-0B00-00000000BB02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:23.230{72106695-ED08-63D0-0B00-00000000BB02}6243468C:\Windows\system32\lsass.exe{72106695-ED08-63D0-1500-00000000BB02}108C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:23.219{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1F00-00000000BB02}2000C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000034767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:24.497{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74E213122544CFFCC8131A8B0D022C78,SHA256=5DFD0E2F43EB6118711F47802A77B9C0411F2B779C7360D4314707BCE05CBECD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:21.998{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50488-false10.0.1.12-8000- 10341000x800000000000000077199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:24.986{45AAC21C-ED08-63D0-0B00-00000000BA02}636308C:\Windows\system32\lsass.exe{45AAC21C-ED06-63D0-0100-00000000BA02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97b62|C:\Windows\system32\kerberos.DLL+79e38|C:\Windows\system32\kerberos.DLL+144ff|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+2d8f6|C:\Windows\system32\lsasrv.dll+33189|C:\Windows\system32\lsasrv.dll+30ad7|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+17a7d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000077198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:24.877{45AAC21C-ED08-63D0-0B00-00000000BA02}636308C:\Windows\system32\lsass.exe{45AAC21C-ED0A-63D0-1000-00000000BA02}444C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:24.870{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99E-63D0-4403-00000000BA02}4716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000077196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:24.867{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4303-00000000BA02}220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000077195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:24.864{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4203-00000000BA02}8108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000077194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:24.862{45AAC21C-ED08-63D0-0B00-00000000BA02}6367276C:\Windows\system32\lsass.exe{45AAC21C-ED0A-63D0-1000-00000000BA02}444C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:24.858{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99C-63D0-4103-00000000BA02}4940C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000077192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:24.853{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F998-63D0-3F03-00000000BA02}6856C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000077191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:24.847{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F993-63D0-3A03-00000000BA02}5848C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000077190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:24.837{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F990-63D0-3703-00000000BA02}5072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000077189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:24.830{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F990-63D0-3603-00000000BA02}7836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000077188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:24.823{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3403-00000000BA02}8152C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000077187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:24.818{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3303-00000000BA02}5868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000077186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:24.814{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3203-00000000BA02}1380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000077185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:24.804{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3103-00000000BA02}7700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000077184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:24.775{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000077183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:24.757{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000077182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:24.756{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A202-00000000BA02}5720C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000077181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:24.754{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A102-00000000BA02}7492C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000077180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:24.749{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F3FF-63D0-5202-00000000BA02}7716C:\Program Files\Process Hacker 2\ProcessHacker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000077179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:24.747{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED93-63D0-C200-00000000BA02}5684C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000077178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:24.721{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000077177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:24.695{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000077176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:24.639{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000077175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:24.628{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-8E00-00000000BA02}432C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000077174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:24.608{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4D-63D0-8900-00000000BA02}4888C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000077173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:24.592{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED36-63D0-8100-00000000BA02}4176C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000077172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:24.588{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED35-63D0-7F00-00000000BA02}3432C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000077171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:24.584{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED2C-63D0-7B00-00000000BA02}532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000077170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:24.581{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000077169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:24.579{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1B-63D0-4500-00000000BA02}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000077168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:24.575{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-4100-00000000BA02}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000077167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:24.574{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-3800-00000000BA02}3276C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 23542300x800000000000000077166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:24.341{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A2E567900530265A85455311971AA34,SHA256=3ECA37BE9175F965B98FF0AD2A552EC1599A5752AF0C445A65D26806F5BF3B52,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:24.063{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3300-00000000BA02}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000077164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:24.061{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3100-00000000BA02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000077163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:24.058{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2F00-00000000BA02}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 23542300x800000000000000034768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:25.589{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28B5375762034FB003526E6B41143EFC,SHA256=6ACFEB8726130445F207B012EBCF315182F36213C0F8FA428455A9A3D4F073EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:25.980{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=47ADF49FD9129793B68EFEBCA094B3BD,SHA256=CF7E9C5448FAC6D8B02BF1537AF94544D1E70D3C294B7B1FEEDA20002037C947,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:23.738{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49392-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000077200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:25.557{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADE80AABD14A9C526FCE5A07B8177FFA,SHA256=3531ED0F35E1A6BDD3D617C28540D10CF71628EB5F3112BE641B90774AFE2DCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:26.679{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21FD681307628C6D11AA7F074A3536B9,SHA256=FFA25B8624D2EE598F40B557CED7054EA70759C3B48099FE882BAB892E37FE81,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:24.620{45AAC21C-ED06-63D0-0100-00000000BA02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local49395-truefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local445microsoft-ds 354300x800000000000000077208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:24.620{45AAC21C-ED06-63D0-0100-00000000BA02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local49395-truefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local445microsoft-ds 23542300x800000000000000077207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:26.604{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ABE1B0B2ED064E06DB2AB8DBFDE868B,SHA256=014BC85FCC8DC4432F20730D34BE99E8D6A420380DC8359B354CF1CECF4BB2EF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:26.571{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FC8E-63D0-5502-00000000BB02}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:26.570{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:26.570{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:26.570{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:26.570{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:26.570{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:26.570{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:26.570{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:26.570{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:26.569{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:26.569{72106695-ED07-63D0-0500-00000000BB02}4082644C:\Windows\system32\csrss.exe{72106695-FC8E-63D0-5502-00000000BB02}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:26.569{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FC8E-63D0-5502-00000000BB02}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:26.568{72106695-FC8E-63D0-5502-00000000BB02}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:26.152{72106695-ED09-63D0-2000-00000000BB02}2008NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:24.513{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49394-false10.0.1.14win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x800000000000000077205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:24.513{45AAC21C-ED0A-63D0-1000-00000000BA02}444C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49394-false10.0.1.14win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x800000000000000077204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:24.504{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local49393-truefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x800000000000000077203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:24.504{45AAC21C-ED0A-63D0-1000-00000000BA02}444C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local49393-truefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local389ldap 10341000x800000000000000034814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:27.918{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FC8F-63D0-5702-00000000BB02}1352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:27.918{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:27.918{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:27.918{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:27.918{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:27.918{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:27.918{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:27.918{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:27.918{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:27.918{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:27.918{72106695-ED07-63D0-0500-00000000BB02}4081028C:\Windows\system32\csrss.exe{72106695-FC8F-63D0-5702-00000000BB02}1352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:27.918{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FC8F-63D0-5702-00000000BB02}1352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:27.919{72106695-FC8F-63D0-5702-00000000BB02}1352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:27.747{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37EF7AFD9ECA486A9D257D50F618EB89,SHA256=5CAD62EA42E96658D82F068CE06634A5B57A6CF72240BFECDFE07E6FABDADEBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:27.644{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F121079050615547033376258B69773A,SHA256=19D6113D376510B9EC14FC2CE0D2FA4EBEE8BB82889E819C7B4D0E24E03F30F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:27.677{72106695-ED09-63D0-2000-00000000BB02}2008NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=F65803D4E5D0EBFC2A6B51A2AAE3EA80,SHA256=E0F2DF70173E1E38C4946509BD05F41378C4FE24A676B22805DBA53027B46EA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:27.677{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=37B761EACAE311D8B0C7CAEAEEA53F51,SHA256=E9650E13029AEE0FEA36C1251F4F96B4A6579688E85D29ECD7F5AB0B65F0B42D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:27.602{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF16F01D00B9A09AF65B2E385B0CF54C,SHA256=06CA2F96AFDD9733DA427187B32F5000CA299D4206D4857366C1FBF43A1F1198,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:27.444{72106695-FC8F-63D0-5602-00000000BB02}40922748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:27.257{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FC8F-63D0-5602-00000000BB02}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:27.257{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:27.257{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:27.257{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:27.257{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:27.257{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:27.257{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:27.257{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:27.257{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:27.257{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:27.257{72106695-ED07-63D0-0500-00000000BB02}4082644C:\Windows\system32\csrss.exe{72106695-FC8F-63D0-5602-00000000BB02}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:27.257{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FC8F-63D0-5602-00000000BB02}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:27.257{72106695-FC8F-63D0-5602-00000000BB02}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000077210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:27.343{45AAC21C-ED0A-63D0-0D00-00000000BA02}9041244C:\Windows\system32\svchost.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000034816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:28.815{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF1A2A996110862725837CF8EC0B9077,SHA256=1EF0A5FF76261DCD79861147E456D9B5E426575C4EED9EDD7A6495952E3D7336,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:28.679{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F01D83863A7424D72937D01146F2B2A,SHA256=0054C96911813D4BC4784496C5F30BFCF343E9AAA8AEDA856C3B8851264445FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:25.026{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50489-false10.0.1.12-8089- 23542300x800000000000000034832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:29.908{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=794E9E55D9EB71B66E750AB3F8517A2B,SHA256=06D749B2B69DF7A47393CDF0473154341DACBC99DA2DC7C7797D4EED313CAEB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:29.708{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05332B0FCB2719A113393812EBA3102E,SHA256=70B8E0069AFD25E8F53B896ACDD9C471D1866C0EB1332F49EAB805902211E697,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:27.080{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50490-false10.0.1.12-8000- 10341000x800000000000000034830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:29.183{72106695-FC91-63D0-5802-00000000BB02}27002512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:29.059{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FC91-63D0-5802-00000000BB02}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:29.059{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:29.059{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:29.059{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:29.059{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:29.059{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:29.059{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:29.059{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:29.059{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:29.059{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:29.059{72106695-ED07-63D0-0500-00000000BB02}4082644C:\Windows\system32\csrss.exe{72106695-FC91-63D0-5802-00000000BB02}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:29.059{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FC91-63D0-5802-00000000BB02}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:29.060{72106695-FC91-63D0-5802-00000000BB02}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000077215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:30.830{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DCFE1FCBD8EF75B0E667F3A8CF4594A,SHA256=1229359AFFBECFA4981B074D67BD63ACFF6AEC505D99C3C358C31D41CC410520,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:28.865{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49396-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000034847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:30.989{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6FCA911A4BD276F48126484BAE95846,SHA256=6BEBEE21F8CB1C9E12AF1AD637311E4C654854A301136CF0BD9DCC43459B02CE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:30.541{72106695-FC92-63D0-5902-00000000BB02}11442460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:30.392{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FC92-63D0-5902-00000000BB02}1144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:30.392{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:30.392{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:30.392{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:30.392{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:30.392{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:30.392{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:30.392{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:30.392{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:30.392{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:30.392{72106695-ED07-63D0-0500-00000000BB02}4081028C:\Windows\system32\csrss.exe{72106695-FC92-63D0-5902-00000000BB02}1144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:30.392{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FC92-63D0-5902-00000000BB02}1144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:30.393{72106695-FC92-63D0-5902-00000000BB02}1144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000077216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:31.946{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=162698FD981607D671DC42646A6BF85F,SHA256=5D4334AF0382D8D44DC6D52F895559163680728837D8402627D541D51A261F54,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:31.208{72106695-FC93-63D0-5A02-00000000BB02}37161344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:31.067{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FC93-63D0-5A02-00000000BB02}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:31.067{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:31.067{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:31.067{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:31.067{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:31.067{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:31.067{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:31.067{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:31.067{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:31.067{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:31.067{72106695-ED07-63D0-0500-00000000BB02}408424C:\Windows\system32\csrss.exe{72106695-FC93-63D0-5A02-00000000BB02}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:31.067{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FC93-63D0-5A02-00000000BB02}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:31.068{72106695-FC93-63D0-5A02-00000000BB02}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000034875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:32.848{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FC94-63D0-5B02-00000000BB02}992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:32.848{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:32.848{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:32.848{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:32.848{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:32.848{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:32.848{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:32.848{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:32.848{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:32.848{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:32.848{72106695-ED07-63D0-0500-00000000BB02}408424C:\Windows\system32\csrss.exe{72106695-FC94-63D0-5B02-00000000BB02}992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:32.848{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FC94-63D0-5B02-00000000BB02}992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:32.849{72106695-FC94-63D0-5B02-00000000BB02}992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:32.082{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D717978C237897C1A5EB3C5FC7766B7F,SHA256=735707AAB2067A1099D0A3A36C42F030D1D4A0893D12C47C9F956200CAE92B60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:33.080{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56AC54FCFE4BEE932B5366E64B6AC378,SHA256=992333DC23A97015F4605C19757D51AB6B4253160B07CB8CAC4B1216E9D015D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:33.893{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A114D5F4DC5A6ADD829A28B16DD95646,SHA256=410E7A98D69D140B6CDF9E576853EE35DBB6C5E00590C7FE253C7C327053BFD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:33.161{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4782544570FE3DAD83AEF567350D66BC,SHA256=B1FF78F7086A37712EFBD4E02092A79403BC9317068AEB0BBF64E3A71543E709,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:34.183{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B5F2085B7BFFF60D6D6EDA66F15BFAC,SHA256=CA911118BC78DB4AAFB4F481EFB712F2D86A571C4969EDC135A4EEE466D7FE28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:34.252{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=903D1A901B920933A8616BDBC3B7B3E0,SHA256=46EABDEE6EBB9C18423CEC0EED5C024DF010A11CA6986C2D1D13C0F122EFF848,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:35.268{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52C763D216FC767B8CE1E122F8B8C806,SHA256=8B78111F04D0AD6E22A843B328A2A554DA61920EE5F82547D5D96E4861215871,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:35.328{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D595223897800A8E6DF72DF8F8A319C4,SHA256=F7B8DC30A0CB232D1128C6560B8F050AAACB9178111757D4D332A080561C59D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:32.144{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50491-false10.0.1.12-8000- 23542300x800000000000000034881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:36.405{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CA8AC19DFF16AAB012BE441213563A9,SHA256=59B6BD809A15D932F2BE46166DBF9A01E462705E100A323523A853B852561E7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:36.810{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7400B837155EC164984A2AE1C1FBFB45,SHA256=DF67C9F476BC25FDF99DE6F8D474A82D90EE6511EA53717C91B88B8B0B53B039,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:34.745{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49397-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000077221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:36.382{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81336150F24B5C5A7C995399A2899167,SHA256=DDB6C6E94B77CDA98EA1AC7905D68B4586308E1DC5A86D93586ED6F5B741BC1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:36.064{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ilosieif.default-release\datareporting\glean\db\data.safe.binMD5=F866F7A1C48C4DFD4AB186DB5F7D8838,SHA256=92365A12927FDB56CEB71B3AE1B8CC821DC37FA5C322A9429C97AC7C840C5777,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:37.478{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D52738CF6B2362AE32E302171421DFE,SHA256=0D10C8532E55395B1D888E066D062A90981D430B90320A7BB966300905971AE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:37.410{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCF62CCF07087AEC460C4A48EEFC3728,SHA256=FB041673C397EB4D03AB52C5F5CF8DE59B775085BB0F35BBA761DA608F518FF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:38.569{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F844E096D28978268E8D091E02CF52E,SHA256=C7D226AAAB18A2790A17E30E9451C5F72E0E6AD8C38FECAF285416C322EE4914,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:38.510{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBD10F97F72484A7EC8EA4EABFE63247,SHA256=8A1D2B7D5A7E3740E424AD45F8119F687E4D9F61A1BDAD3283C4D208F5221324,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:39.659{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37AE853347620DFC7C291A59435037EA,SHA256=DCF5388BE947B5966C3B2C559234095061B12B645A7715E4F9063847F954B173,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:39.632{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98E547DEA7141F84BFE9F83ABAB107CC,SHA256=9D1AAE06E287AC9DE674CF4492B170F7B0A4566675B2CD2AE170B1ED24F875AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:40.997{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-3C00-00000000BB02}2964C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000034908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:40.997{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2B00-00000000BB02}2876C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000034907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:40.996{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2600-00000000BB02}2596C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000034906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:40.994{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2500-00000000BB02}2436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000034905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:40.992{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2200-00000000BB02}1172C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000034904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:40.989{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000034903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:40.979{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000034902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:40.977{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1C00-00000000BB02}1892C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000034901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:40.976{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1A00-00000000BB02}1856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000034900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:40.970{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1800-00000000BB02}1732C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000034899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:40.968{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1700-00000000BB02}1240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000034898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:40.958{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1600-00000000BB02}1192C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000034897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:40.936{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1500-00000000BB02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000034896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:40.929{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1400-00000000BB02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000034895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:40.924{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1300-00000000BB02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000034894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:40.918{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1200-00000000BB02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000034893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:40.912{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1100-00000000BB02}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000034892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:40.907{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1000-00000000BB02}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000034891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:40.903{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0F00-00000000BB02}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000034890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:40.896{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0E00-00000000BB02}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000034889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:40.890{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0D00-00000000BB02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000034888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:40.882{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000034887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:40.876{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0B00-00000000BB02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000034886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:40.874{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0900-00000000BB02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 23542300x800000000000000034885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:40.740{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1898582A89ED1DEFB02F29A823EAE15,SHA256=18046C4FBB8AE307F1752D2EE401A2DD940E1AE5FAE30D22235DB99FC1D6C55E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:40.972{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1000-00000000BA02}444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:40.956{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0F00-00000000BA02}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:40.939{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0E00-00000000BA02}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:40.922{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0D00-00000000BA02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:40.913{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0C00-00000000BA02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:40.851{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:40.849{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0900-00000000BA02}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 23542300x800000000000000077227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:40.727{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B99E8181D89268847BA0CF2F42D1CA1A,SHA256=B3F345EE9D61AB56D54605BBD462BB376FC5B76C21DE624495025EAB80519B9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:41.787{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87804EB2E69204A117338D25AED4D086,SHA256=BD1AF2F29557E25B4E640ACF18F6214D73D442A28C2611D6A408B276E8221070,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:38.094{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50492-false10.0.1.12-8000- 10341000x800000000000000034914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:41.006{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FB5F-63D0-3102-00000000BB02}3068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000034913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:41.004{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED83-63D0-8200-00000000BB02}508C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000034912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:41.002{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED1B-63D0-6D00-00000000BB02}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000034911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:41.000{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000034910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:40.999{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-4000-00000000BB02}1980C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000077252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:41.537{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2E00-00000000BA02}2692C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:41.533{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:41.529{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2B00-00000000BA02}2664C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:41.096{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:41.091{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:41.083{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:41.076{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2700-00000000BA02}2576C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:41.074{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2600-00000000BA02}2568C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:41.067{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2500-00000000BA02}2484C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:41.064{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED14-63D0-2300-00000000BA02}2340C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:41.062{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1800-00000000BA02}1992C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:41.060{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1700-00000000BA02}1492C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:41.054{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1600-00000000BA02}1324C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:41.039{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1500-00000000BA02}1152C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:41.031{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1400-00000000BA02}344C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:41.024{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1300-00000000BA02}364C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:41.015{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1200-00000000BA02}408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:41.007{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1100-00000000BA02}704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:42.952{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FC9E-63D0-9C03-00000000BA02}7448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:42.952{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:42.952{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:42.952{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:42.952{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:42.952{45AAC21C-ED08-63D0-0500-00000000BA02}420788C:\Windows\system32\csrss.exe{45AAC21C-FC9E-63D0-9C03-00000000BA02}7448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000077257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:42.952{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FC9E-63D0-9C03-00000000BA02}7448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000077256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:42.953{45AAC21C-FC9E-63D0-9C03-00000000BA02}7448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000077255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:42.885{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70EDBD5B517B8335D5FA1AC8315C8054,SHA256=2ED3D52B531BE2CFB506F7645A735142698C8BCC8F50760ADC409FA57E89BFAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:42.006{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00FC52574DF2AC7CAD229B50BC7BC01E,SHA256=017A03C5CFCDBF43D89449548735C83C8E7FB84DF17F1F55424F5F58850A7346,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:39.884{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49398-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000034917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:43.129{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F2E4D6DEFCA63F57E1F25DC1D8AABC9,SHA256=0263AA4C44E0DA7E648083F95281B8583CE8DD01852C2CDC2717B4DB73365E90,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:43.853{45AAC21C-FC9F-63D0-9D03-00000000BA02}47326564C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:43.618{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FC9F-63D0-9D03-00000000BA02}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:43.618{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:43.618{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:43.617{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:43.616{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:43.616{45AAC21C-ED08-63D0-0500-00000000BA02}420780C:\Windows\system32\csrss.exe{45AAC21C-FC9F-63D0-9D03-00000000BA02}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000077273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:43.616{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FC9F-63D0-9D03-00000000BA02}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000077272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:43.615{45AAC21C-FC9F-63D0-9D03-00000000BA02}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000077271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:43.599{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED5C-63D0-A400-00000000BA02}5320C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:43.573{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3300-00000000BA02}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:43.571{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3100-00000000BA02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:43.568{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2F00-00000000BA02}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:43.071{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FC9E-63D0-9C03-00000000BA02}7448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:43.070{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FC9E-63D0-9C03-00000000BA02}7448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:43.070{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FC9E-63D0-9C03-00000000BA02}7448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:43.070{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FC9E-63D0-9C03-00000000BA02}7448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000034918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:44.201{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D06161ADD2C3658909E47A1E71245BC3,SHA256=64EE61530DC79A4ABF987667D664DF1CB93932D37A30C666F2C38C391554D2D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:44.616{45AAC21C-ED0A-63D0-0D00-00000000BA02}9046848C:\Windows\system32\svchost.exe{45AAC21C-F993-63D0-3A03-00000000BA02}5848C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000077323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:44.493{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=179598A61D07FC3FE15EE094073EAE2E,SHA256=C713A937659BA6C857C32B5FE53CD9C39B4A32B5078F6E9D798442297E296BFA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:44.485{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FCA0-63D0-9E03-00000000BA02}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000077321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:44.297{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99E-63D0-4403-00000000BA02}4716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:44.295{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4303-00000000BA02}220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:44.292{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4203-00000000BA02}8108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:44.289{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99C-63D0-4103-00000000BA02}4940C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:44.288{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FCA0-63D0-9E03-00000000BA02}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:44.286{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F998-63D0-3F03-00000000BA02}6856C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:44.286{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:44.286{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:44.285{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:44.285{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:44.285{45AAC21C-ED08-63D0-0500-00000000BA02}420788C:\Windows\system32\csrss.exe{45AAC21C-FCA0-63D0-9E03-00000000BA02}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000077310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:44.284{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FCA0-63D0-9E03-00000000BA02}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000077309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:44.284{45AAC21C-FCA0-63D0-9E03-00000000BA02}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000077308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:44.283{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F993-63D0-3A03-00000000BA02}5848C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:44.279{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F990-63D0-3703-00000000BA02}5072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:44.275{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F990-63D0-3603-00000000BA02}7836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:44.271{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3403-00000000BA02}8152C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:44.268{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3303-00000000BA02}5868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:44.265{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3203-00000000BA02}1380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:44.254{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3103-00000000BA02}7700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:44.230{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:44.212{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:44.210{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A202-00000000BA02}5720C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:44.208{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A102-00000000BA02}7492C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:44.203{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F3FF-63D0-5202-00000000BA02}7716C:\Program Files\Process Hacker 2\ProcessHacker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:44.201{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED93-63D0-C200-00000000BA02}5684C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:44.181{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:44.167{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:44.138{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:44.129{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-8E00-00000000BA02}432C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:44.110{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4D-63D0-8900-00000000BA02}4888C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:44.101{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED36-63D0-8100-00000000BA02}4176C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:44.100{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED35-63D0-7F00-00000000BA02}3432C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:44.097{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED2C-63D0-7B00-00000000BA02}532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:44.092{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:44.090{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1B-63D0-4500-00000000BA02}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:44.087{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-4100-00000000BA02}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:44.086{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-3800-00000000BA02}3276C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 23542300x800000000000000077283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:44.069{45AAC21C-ED18-63D0-2C00-00000000BA02}2672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=4B58F8C24DA956C5132BA9AF7708421B,SHA256=212C0611F170E1ACF5DB9BE3B9713B08997AFAC292AD3568CD8BECAB3F172A08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:44.053{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E74DC4F800ECBB90982656B0B177A190,SHA256=C380246D63D7353F139853FB71535A5DBE927C0FB02472C94D8AD11AC4280395,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:44.053{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8D6E0F37EEF7D6633EB8EB152ABF43B8,SHA256=F6175C0764523439D20A59E86495292E7D7AEF21EBB4ABA7E86E395751CD771C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:43.651{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local49399-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x800000000000000077326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:43.651{45AAC21C-ED18-63D0-2700-00000000BA02}2576C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local49399-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 23542300x800000000000000077325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:45.219{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=089C39F635308E0D1C12D9CFC00F0C12,SHA256=3465907AE5DAD97790EDBF7BC449AD0E70CE3963478FEFF49EDA1FCF8E4D37F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:45.280{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9386D9E7DC264E1C18F0B7D6AC045632,SHA256=ED775B978B73EB688907D6790522797E6D7057C7090AAD257345435A14CA7883,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:44.004{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50493-false10.0.1.12-8000- 23542300x800000000000000034920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:46.371{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3E8B085CA2EDA13F385F86F1D5C306A,SHA256=118F7807071965FF96F9C24529B2E56FADC0EE24700F924EFE179817A79772DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:46.453{45AAC21C-FCA2-63D0-9F03-00000000BA02}49727992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:46.452{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FCA2-63D0-9F03-00000000BA02}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000077338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:46.452{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FCA2-63D0-9F03-00000000BA02}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000077337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:46.452{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FCA2-63D0-9F03-00000000BA02}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 23542300x800000000000000077336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:46.327{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8441C42566E8221349CBA4C82CDB4ACE,SHA256=8937348BADD556C0BBB2E5777AF46C83A229923C2B988A2B6C249FEAA5ADEDD4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:46.220{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FCA2-63D0-9F03-00000000BA02}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:46.220{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:46.220{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:46.220{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:46.220{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:46.220{45AAC21C-ED08-63D0-0500-00000000BA02}420788C:\Windows\system32\csrss.exe{45AAC21C-FCA2-63D0-9F03-00000000BA02}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000077329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:46.220{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FCA2-63D0-9F03-00000000BA02}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000077328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:46.221{45AAC21C-FCA2-63D0-9F03-00000000BA02}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:47.450{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56604151406B29CEB158F001A5BE7895,SHA256=CA7BD526DAE14A27E1679054420C8302D6E4B5AF7FC9FC063B02C9AC30FB61CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:45.778{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49400-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000077362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:47.973{45AAC21C-FCA3-63D0-A103-00000000BA02}61246136C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:47.742{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FCA3-63D0-A103-00000000BA02}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:47.742{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:47.742{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:47.742{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:47.742{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:47.742{45AAC21C-ED08-63D0-0500-00000000BA02}420780C:\Windows\system32\csrss.exe{45AAC21C-FCA3-63D0-A103-00000000BA02}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000077355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:47.742{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FCA3-63D0-A103-00000000BA02}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000077354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:47.743{45AAC21C-FCA3-63D0-A103-00000000BA02}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000077353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:47.500{45AAC21C-FCA3-63D0-A003-00000000BA02}68161668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:47.485{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FCA3-63D0-A003-00000000BA02}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000077351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:47.485{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FCA3-63D0-A003-00000000BA02}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000077350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:47.484{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FCA3-63D0-A003-00000000BA02}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 23542300x800000000000000077349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:47.442{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C422B017B4C09013337FFA3216ABF445,SHA256=D8AAE6F3F0412A70173516BA58A15866F1F38FEBC81B4689728E9B7824CADB72,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:47.242{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FCA3-63D0-A003-00000000BA02}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:47.242{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:47.242{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:47.242{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:47.242{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:47.242{45AAC21C-ED08-63D0-0500-00000000BA02}420436C:\Windows\system32\csrss.exe{45AAC21C-FCA3-63D0-A003-00000000BA02}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000077342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:47.242{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FCA3-63D0-A003-00000000BA02}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000077341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:47.243{45AAC21C-FCA3-63D0-A003-00000000BA02}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:48.534{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA1927392ACDDEA123E22A8337D22F29,SHA256=0717B5CD5C9E414A6A5F24542C4197E61BCADBD196C08127B26EAC3E71ACA6ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:48.481{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EE23E70CAA04E13EC92C4BAC021B47A,SHA256=EEB45D2C510E0504F6E406F5A0A4D4A4BEC46465C6F63874D60ABEE13489073E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:49.622{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E420295A533A24BA0A538329FE76ED8,SHA256=87E7769B809B68961017E833CBDD91F1FB395E54284A09B711C28091BFDDEA3F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:49.919{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FCA5-63D0-A203-00000000BA02}7552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:49.919{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:49.919{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:49.919{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:49.919{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:49.919{45AAC21C-ED08-63D0-0500-00000000BA02}420788C:\Windows\system32\csrss.exe{45AAC21C-FCA5-63D0-A203-00000000BA02}7552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000077367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:49.919{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FCA5-63D0-A203-00000000BA02}7552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000077366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:49.920{45AAC21C-FCA5-63D0-A203-00000000BA02}7552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000077365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:49.582{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC84D1E25557E8AC9BC03BE5950039B7,SHA256=75C2F0B60BDEC3C791ACA88D129A7265DCE67590CBB2F67ED297D9D6CEBBFAEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:50.717{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D91B6BB258811CD7D6D313D00708114,SHA256=27EA66499D8B0F49C3BC818E02096C44EADBA16418A122DB8FAF201E1CED50E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:50.651{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A567195E736C495C0F8675190CFDBEC,SHA256=89848849C4F6A22E7115584A2A4DE9A31A27258D4AF8947C99C8F6E596D5ECCD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:50.073{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FCA5-63D0-A203-00000000BA02}7552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:50.073{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FCA5-63D0-A203-00000000BA02}7552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:50.073{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FCA5-63D0-A203-00000000BA02}7552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:50.073{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FCA5-63D0-A203-00000000BA02}7552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000034926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:51.776{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA424310C708A50BA2EAD9DC6467CE97,SHA256=E53D5F59EE1C177C94DB67C762E3A3A5A810574BCA083E6B9F56DC7820D23F21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:51.667{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B036C32DE82CDE77E15CB9C1594E7B6E,SHA256=D2EA25A1933CCFD6563D5EFA47AEC0E922E85EB7211CF124972ADF5EAFA2B4A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:51.013{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B94F9A0C81B96CB472E9634ABA7F7B1,SHA256=E61EC8036C8C6A425B58322A48EAA9A9C5272D08845B19B64892FA7362ED0629,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:52.841{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05513DB0CB6FF09E30DECEEFC82F975D,SHA256=B4D7B3EB7A63B335F106AE3595A883285134729EBCF9857D9883963F6637DFE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:52.784{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B53E99A958FC5ADB6E8448520D7839FE,SHA256=7BD8952A2638AE74BEC75D306BA7E1DFD1293BF36A0442082726C241E1DA2A5E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:49.059{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50494-false10.0.1.12-8000- 23542300x800000000000000034929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:53.914{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A5EC598238DC116FB84A134EB9C922B,SHA256=628216CF2B88144A1A62A1748A760007FF79160A808B40E1A777ED92E63B1459,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:53.887{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A34B8D158C324E9EE7826C00AD3E0E48,SHA256=B15AFE60F487B7BA9CF35F8887B72F9AE43877F80AB25D9EEEBDE79607C957F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:54.917{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F88DEFC00C0D34334D910FA55742414D,SHA256=B182E9E1B699570841D80D84B8C8D7AEBB826A7B7B56D9613F6CA76EE5C7DF01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:54.438{72106695-ED09-63D0-1C00-00000000BB02}1892NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\respondent-20230125084915-064MD5=4A845FE96E1CB901D2D7264E475C5D0A,SHA256=805658FE4E43678F2368D193C16F752D5AE58460E17C63B3F32526AFB5DF27A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:51.720{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49401-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000077385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:55.990{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAEB3E862B3E146671AFE7FC76059973,SHA256=4A50CBC48F8E11A101D16125B2145F53198BC055CF295676FEE7E76EFA715292,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:55.437{72106695-ED09-63D0-1C00-00000000BB02}1892NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\surveyor-20230125084913-065MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:55.002{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6FBBFE637577055805D70D88CDFD890,SHA256=F78433585307F4504B571734C18AA0EA619B08FA29351D73551DCA8B44ED4A42,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:54.123{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50495-false10.0.1.12-8000- 23542300x800000000000000034933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:56.069{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3974F464A49C54A7BBF449F702B722BF,SHA256=4894953517BBD262259FEF405ACEF43BB76200781B0700F4381A4924B37AC966,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:57.091{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A72C451AD6DC177BDAC13234B986267,SHA256=7C5DC62FCF07DE9E47C2727C38D73AE5A30E391A2147422221738ECB2D1FA968,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:57.135{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13B0748DDDA4A6347AB9744C74825914,SHA256=5FE8E4A1C255817DCF0BF0ABDB3C6B43E0FD7366F30561456204B6F183274D75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:58.218{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB20653B21D9B4535E91214DFBF43C69,SHA256=D0FEA0BE2CFD8EB4CCA6AF2EED7CC42E658D6382D4130BEC7E7CF2E858241D47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:58.207{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81472E0728C500882740066D752CCC1A,SHA256=6810140737C5F86F7B2BDD11F0B4AA1321E3912E10D9F957EF1B7C44E939775F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:58.082{72106695-ED09-63D0-2000-00000000BB02}2008NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A3C5393DA2FBA9AB86A7E9E23B700A21,SHA256=ED3B5534E75DA1F6152AF1B1439D759EAF391C2DECD149363B290565436C00AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:59.356{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B93C6C1729D0654EED382EEA802D35AA,SHA256=86813681820B905A0FB2C5403EA066271DBC28B740C3B50A60DD8DF8E169D762,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:55:59.280{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA89247B21F2E411A69DDD67A1E938F2,SHA256=A6EF90555E08DBC35FF6A00A8E86FCE51A52C470E4A032FE4D7A24827A339379,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:55:56.776{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49402-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000077413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:00.997{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1600-00000000BA02}1324C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:00.984{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1500-00000000BA02}1152C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:00.978{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1400-00000000BA02}344C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:00.971{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1300-00000000BA02}364C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:00.959{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1200-00000000BA02}408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:00.950{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1100-00000000BA02}704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:00.922{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1000-00000000BA02}444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:00.905{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0F00-00000000BA02}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:00.896{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0E00-00000000BA02}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:00.884{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0D00-00000000BA02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:00.869{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0C00-00000000BA02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:00.808{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:00.806{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0900-00000000BA02}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 23542300x800000000000000077400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:00.489{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B519199C8483E18BDFA34E685DC8165,SHA256=D822A4088334C1D470972E2DB04E1ABDC2F22503275E3177F16FFB0953BC5744,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000077399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-25 09:56:00.471{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000077398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-25 09:56:00.471{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x003d334c) 13241300x800000000000000077397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-25 09:56:00.471{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d9309a-0xd8697331) 13241300x800000000000000077396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-25 09:56:00.471{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d930a3-0x3a2ddb31) 13241300x800000000000000077395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-25 09:56:00.471{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d930ab-0x9bf24331) 13241300x800000000000000077394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-25 09:56:00.471{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000077393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-25 09:56:00.471{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x003d334c) 13241300x800000000000000077392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-25 09:56:00.471{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d9309a-0xd8697331) 13241300x800000000000000077391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-25 09:56:00.471{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d930a3-0x3a2ddb31) 13241300x800000000000000077390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-25 09:56:00.471{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d930ab-0x9bf24331) 10341000x800000000000000034951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:00.970{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1500-00000000BB02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000034950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:00.957{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1400-00000000BB02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000034949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:00.948{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1300-00000000BB02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000034948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:00.935{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1200-00000000BB02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000034947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:00.928{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1100-00000000BB02}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000034946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:00.918{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1000-00000000BB02}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000034945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:00.912{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0F00-00000000BB02}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000034944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:00.906{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0E00-00000000BB02}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000034943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:00.900{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0D00-00000000BB02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000034942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:00.893{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000034941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:00.887{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0B00-00000000BB02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000034940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:00.884{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0900-00000000BB02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 23542300x800000000000000034939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:00.366{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=069D8A8E09971327DF353F1CF961CF32,SHA256=F0F206856ACDAAB930A9658C5BA3744A5AA1B5B7BEBA4D454FE8272F808FB36B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:01.707{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81A6780EA351101ECB1F1ADC078999A5,SHA256=292BE95E175CBBDC804B0EB53954A06DAD63EE02027DB86AFE8B7F2DC03B60B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:01.773{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DF789D3D984E8CBEE2DDE565B7B7D17,SHA256=3E1FB92F68C3D098C947E742344906481B7669AA096DB87F69A9D4FB3561C881,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:01.524{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2E00-00000000BA02}2692C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:01.519{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:01.515{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2B00-00000000BA02}2664C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:01.047{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:01.039{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:01.031{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:01.021{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2700-00000000BA02}2576C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:01.017{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2600-00000000BA02}2568C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:01.010{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2500-00000000BA02}2484C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:01.007{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED14-63D0-2300-00000000BA02}2340C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:01.006{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1800-00000000BA02}1992C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:01.003{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1700-00000000BA02}1492C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000034968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:01.080{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FB5F-63D0-3102-00000000BB02}3068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000034967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:01.077{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED83-63D0-8200-00000000BB02}508C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000034966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:01.076{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED1B-63D0-6D00-00000000BB02}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000034965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:01.074{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000034964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:01.073{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-4000-00000000BB02}1980C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000034963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:01.070{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-3C00-00000000BB02}2964C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000034962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:01.069{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2B00-00000000BB02}2876C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000034961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:01.065{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2600-00000000BB02}2596C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000034960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:01.064{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2500-00000000BB02}2436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000034959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:01.061{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2200-00000000BB02}1172C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000034958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:01.058{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000034957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:01.047{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000034956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:01.045{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1C00-00000000BB02}1892C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000034955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:01.041{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1A00-00000000BB02}1856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000034954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:01.033{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1800-00000000BB02}1732C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000034953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:01.032{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1700-00000000BB02}1240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000034952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:01.012{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1600-00000000BB02}1192C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 23542300x800000000000000077427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:02.558{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73D53DD3AD1AC1DB82DCC0E40EC0DB0C,SHA256=31ED4EDCA36FF876CD76BA338268F542BAA8FC24CE6C91AE2709ABC68E445DBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:02.853{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B089F4ABA9F1CA001EF1BFFBB6B1F85,SHA256=9FF6C512CCC824551181DBC9DEDC3B183C024D8A6D29C1A73F19CA5AACE430A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:03.690{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D778FFA8E2D91670087C7B8AD3FCE0E,SHA256=8B6C061F0168B59D2E615B01B11F8E505F200CC752C7A232F257D5BFFA00DD2E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:03.586{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3300-00000000BA02}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:03.584{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3100-00000000BA02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 23542300x800000000000000034972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:03.926{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3399809668E2289FEB80ECE5CE469F9,SHA256=1A15E7B00C01F2062968499E50135032BBE69A339522404EFF09BC203E8783C8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:03.580{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2F00-00000000BA02}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 354300x800000000000000034971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:00.049{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50496-false10.0.1.12-8000- 10341000x800000000000000077462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:04.565{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99E-63D0-4403-00000000BA02}4716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:04.555{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4303-00000000BA02}220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:04.549{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4203-00000000BA02}8108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:04.536{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99C-63D0-4103-00000000BA02}4940C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:04.527{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F998-63D0-3F03-00000000BA02}6856C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:04.509{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F993-63D0-3A03-00000000BA02}5848C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:04.486{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F990-63D0-3703-00000000BA02}5072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:04.464{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F990-63D0-3603-00000000BA02}7836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:04.435{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3403-00000000BA02}8152C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:04.420{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3303-00000000BA02}5868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:04.399{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3203-00000000BA02}1380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:04.371{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3103-00000000BA02}7700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 354300x800000000000000077450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:01.855{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49403-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000077449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:04.310{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:04.276{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:04.274{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A202-00000000BA02}5720C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:04.267{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A102-00000000BA02}7492C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:04.260{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F3FF-63D0-5202-00000000BA02}7716C:\Program Files\Process Hacker 2\ProcessHacker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:04.254{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED93-63D0-C200-00000000BA02}5684C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:04.209{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:04.183{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:04.141{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:04.130{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-8E00-00000000BA02}432C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:04.114{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4D-63D0-8900-00000000BA02}4888C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:04.107{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED36-63D0-8100-00000000BA02}4176C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:04.104{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED35-63D0-7F00-00000000BA02}3432C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:04.101{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED2C-63D0-7B00-00000000BA02}532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:04.097{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:04.095{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1B-63D0-4500-00000000BA02}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:04.093{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-4100-00000000BA02}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:04.091{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-3800-00000000BA02}3276C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 23542300x800000000000000077463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:05.122{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B167C8658652A3FA2307CE08E06410A4,SHA256=E0556858E3DA6469825A314E8A89FA5B19C7984F01A90CE0FD48F49484135657,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:05.006{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48D4FC5D6A45B803D35EDDD2A6FC4011,SHA256=5D829FC92EC59B2433515447866BD0503CE9AD17A495BA884BEA0D24B6A24DCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:06.193{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42E3FCA632410688B37348383953EA99,SHA256=F2414EF4BC7D1736616AE72D3D61CEA291493FE0B59DC462EE3E9BB495CD1CFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:06.084{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36C4CF631E6DECCC70CD31C637688B24,SHA256=34ADC1B1815238796D8E0E960CD6627478355546836BE163887238F8006DC6B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:07.328{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CF9668605B28D38DCFFBA0DD10C8FB3,SHA256=C29AA06978ECEBB9C0212869FDBFF207CC52AE21E4ED7A5DB8EAF7496417981A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:07.158{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08103089DB9A89BB2558F88F76874140,SHA256=60EACFFC12FFE41C41DF9C4125D00BC40F204DE9D1548D2F27583051802A345D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:08.460{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5E69DFDE1208132C9CE0D81DB292FBC,SHA256=A7479F765FA01A3B750B7C29513A1E5B2E527AE4298A90423B871E6F0B0904FA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:06.007{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50497-false10.0.1.12-8000- 23542300x800000000000000034976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:08.229{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F3DA82F8A8F5124132774E25EC33F6C,SHA256=A6FB90177280C887007B0E12FCBBDAA34940D33F12985A71DAD52ECB744F6815,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:09.545{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92079F1046E3B0861755144A5AC18FDC,SHA256=1DB8B41ADCF6A6B62B83D4BC33C035F09189DB4C679D9C95874882E4D82CDD0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:09.301{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABE2940D50755BA45EB5D00178201F1A,SHA256=ABD4CE27ED36121C9CE840663EE273FDC1CEEBD2E731DCDD90B0201667EB7964,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:09.164{45AAC21C-ED18-63D0-2F00-00000000BA02}2700NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\respondent-20230125084931-064MD5=FB1204BD5E1FCB9F00F3D30191CDD410,SHA256=AD3DE377B45C073DC7811942D8C17D2EDF88FCE93F4C4FD49345F5808DA79585,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:10.645{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A07782F2F39C567198F799E4A96BA95,SHA256=F9ABA714D7BA83DFB5750875B3B9E99E3C64A65ED5CF344468C7708BE7532106,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:10.373{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41785560AE4FB56B5F527B5AC676385A,SHA256=8BF25E5D4C5C9157400E3BCFEC5744840FD76D97FBEB015C39F16694FA0C2C64,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:07.879{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49404-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000077469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:10.162{45AAC21C-ED18-63D0-2F00-00000000BA02}2700NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\surveyor-20230125084929-065MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:11.677{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A4EE84D70433658359A6F03B6919F6E,SHA256=F020B2C5DCFFE62410D73100EFB852C5C43A0F579A98C70764914A7BACB34D77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:11.455{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADE2B0E2644F3BC5E739AA5AED4F7BE7,SHA256=7F2CEDC4FB08E999A49E8D9EEAFAD2B65F449ED996F09002E15D25FFD2595C3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:12.794{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFC09F1FC2AEE131D9085BDBAB275CFB,SHA256=947149EE058ABD64AC339CDACD148FED0446370F99F7A587973FC7C744CB5B6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:12.522{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1C009889AB398B532278EF95F564A94,SHA256=5DF599C32CB2543CB6EF0E214C3DFB222E57EE5BAC25014670AD8E7D6C3AE112,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:13.882{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B6E45BE8E74040DDD81BA985AA44177,SHA256=A7B3906DD8FA6DF1052C79046054ACCECEC147898CC15CCDB9658F962F9CA420,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:13.600{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CACB0DAD94AA008F2C3B5666F6947756,SHA256=D7120D3F5C7CED907669D0C7AE7C7E6E06566ADFDE771BD3A3CC24CBC61CDD67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:14.671{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0972B1170F334A079737A81CFF2A6FB1,SHA256=B049342B4392A4B7B4A71705A03AF8F68E9490C3F70D5E075C1B40541783D965,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:14.624{72106695-ED08-63D0-1100-00000000BB02}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=EADF4E4A4E5A41ADA1948B4AE70EB131,SHA256=DFF3EFED7418710B09B57220780F5DDD42F9E454A0499E6E975360395E7F9DA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:14.279{45AAC21C-ED18-63D0-2C00-00000000BA02}2672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=3B1CC5F6CFDB0BDB5539A77F91434D46,SHA256=5B85A35041A727595E6146AAE82D6F182908B6C60DCCAFD1E0897F0AF55D637A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:11.139{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50498-false10.0.1.12-8000- 23542300x800000000000000034986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:15.758{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F1DB1D10C2DD1CBDBE12B0BF1FA49DB,SHA256=68A2AB0C986FF50A7A6872465B88A0FDCB84B31A9246560C0E51531E42708E37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:15.900{45AAC21C-ED0A-63D0-1100-00000000BA02}704NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=4FE1124DCBF9A2B2C07B615388D7CDD8,SHA256=84951B7388801FBD7CDF52E69EEBC389627106EDFD124AF095F73B645333D0FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:15.025{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74631833B3B303B62F70FADFA6186802,SHA256=8B789DE2BB576C22E422493CF0EBA606F533EA1B78DE1C74316B17037FD5E5D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:16.838{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69C42E9A25EEA25FBE254B931F2856F0,SHA256=2DD771D2B011941873F7E654E95A966DE3DACFE2E869E79D0FC9AF9766735CB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:13.782{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49405-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000077478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:16.063{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=012830297D71D0D966A93250700BF8F4,SHA256=89F846E64C8D5D46081B5EA11F10E496079EB3C48BB6D4BA8D8CF71BBE08EC70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:17.923{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07DFB1F76E1FF7D7DC0DF1D95142F29B,SHA256=872C1651AE043935D265F5014C6B9BF7827C0A81E88BB84A57F6F19964B8200A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:17.162{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BE6CF830ECA3F1A4332BAA85EDF6A53,SHA256=8B6592DAEF9CE0A419F17590EFE534E37A62BE658831E5BB09BE05BC91865424,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:17.782{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED08-63D0-1300-00000000BB02}740C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:17.782{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED08-63D0-1300-00000000BB02}740C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:17.782{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED08-63D0-1300-00000000BB02}740C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000077482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:18.424{45AAC21C-ED18-63D0-2C00-00000000BA02}2672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:18.278{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B17CF8DAA6C42CB17F4CA2E193FCC00,SHA256=7BF251729A51F076C946BA8F1372B4D4B8977FACEFCE304BFD74197D291C2563,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:18.028{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49406-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000077483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:19.296{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B936582B8196840DA23D905949EAB48A,SHA256=EE987FB9369E3BBC05D988284023E49604535A018C2130840B01EC187644553E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:17.038{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50499-false10.0.1.12-8000- 23542300x800000000000000034992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:19.004{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=018E7DFFDB6E8D1A902AE04545327FD5,SHA256=98B3A2B277A2C8012EF35CA499EE4C096A4EAE89391B221DD09C64005C15F0E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:20.992{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1100-00000000BA02}704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:20.944{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1000-00000000BA02}444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:20.922{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0F00-00000000BA02}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:20.905{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0E00-00000000BA02}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:20.881{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0D00-00000000BA02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:20.870{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0C00-00000000BA02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:20.821{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:20.817{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0900-00000000BA02}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 23542300x800000000000000077485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:20.346{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1C4BC2F326FEDF1CC521830EF89CE4C,SHA256=83D06F460EAFAB13B2C05EC516CD4759A4C000C1001B3BDD2DC0A2BCB487AE32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:20.990{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1600-00000000BB02}1192C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000035006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:20.964{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1500-00000000BB02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000035005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:20.956{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1400-00000000BB02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000035004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:20.948{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1300-00000000BB02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000035003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:20.942{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1200-00000000BB02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000035002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:20.935{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1100-00000000BB02}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000035001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:20.930{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1000-00000000BB02}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000035000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:20.924{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0F00-00000000BB02}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000034999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:20.917{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0E00-00000000BB02}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000034998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:20.908{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0D00-00000000BB02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000034997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:20.902{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000034996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:20.891{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0B00-00000000BB02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000034995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:20.883{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0900-00000000BB02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x800000000000000034994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:20.103{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6069B15418412C4DB3702FC4F3BD8D5B,SHA256=CBE88EF301555E07EC3F8BF08211C772589032C3255EDE7EFC888A7AEA578E41,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:21.819{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2E00-00000000BA02}2692C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:21.815{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:21.812{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2B00-00000000BA02}2664C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 354300x800000000000000077509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:19.666{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49407-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000077508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:21.411{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D151043FDDE9ADFB45B2212C3F35502,SHA256=4988BEECBDC246E9D8AC0B830A177B2CA20897B9ED22C432326501C39A950C1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:21.388{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E5118BC4F698803201AC1A1F9CC6931,SHA256=6F89E4838B1A173F83D68FD7DC6CD171D2AF6F63F16E67E8F2AFAF62529ACE14,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:21.184{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:21.173{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:21.152{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:21.138{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2700-00000000BA02}2576C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:21.135{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2600-00000000BA02}2568C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:21.113{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2500-00000000BA02}2484C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:21.107{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED14-63D0-2300-00000000BA02}2340C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:21.105{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1800-00000000BA02}1992C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:21.099{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1700-00000000BA02}1492C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:21.083{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1600-00000000BA02}1324C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:21.047{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1500-00000000BA02}1152C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:21.038{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1400-00000000BA02}344C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:21.025{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1300-00000000BA02}364C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:21.006{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1200-00000000BA02}408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000035023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:21.050{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FB5F-63D0-3102-00000000BB02}3068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000035022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:21.048{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED83-63D0-8200-00000000BB02}508C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000035021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:21.047{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED1B-63D0-6D00-00000000BB02}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000035020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:21.045{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000035019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:21.043{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-4000-00000000BB02}1980C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000035018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:21.041{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-3C00-00000000BB02}2964C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000035017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:21.040{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2B00-00000000BB02}2876C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000035016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:21.039{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2600-00000000BB02}2596C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000035015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:21.038{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2500-00000000BB02}2436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000035014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:21.035{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2200-00000000BB02}1172C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000035013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:21.032{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000035012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:21.018{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000035011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:21.013{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1C00-00000000BB02}1892C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000035010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:21.008{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1A00-00000000BB02}1856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000035009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:21.002{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1800-00000000BB02}1732C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000035008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:21.000{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1700-00000000BB02}1240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x800000000000000077513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:22.464{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24E1EF575E8648B7BB73031D2F7B4982,SHA256=7B2885EF46C2D6A262A7D77E8535EA7AA91136929AFE79ABD612ED059A3E2121,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:22.452{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E38D7D842D0BFE2E17097A5716862F5,SHA256=3E2EED7C3E14C109F4C69615049C4F5B2A378F64543F2C55709D244DC2B5CFAD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:23.870{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3300-00000000BA02}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:23.868{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3100-00000000BA02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:23.865{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2F00-00000000BA02}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 23542300x800000000000000077514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:23.565{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF690CF35E52694CE4FC176722F6E679,SHA256=EFCD60AEBDCB1165C6452CA0643E19C72CF9684FBC39ACD0D9F19FFAA0651A69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:23.516{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1BB904FA7A9471552F612016CBC6181,SHA256=B7909994533800FA9D5D850C6C72DEC80E732C6401E81CD0E2BCC50B46D60FD4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:23.231{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED08-63D0-0B00-00000000BB02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:23.231{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED08-63D0-0B00-00000000BB02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:23.231{72106695-ED08-63D0-0B00-00000000BB02}6243468C:\Windows\system32\lsass.exe{72106695-ED08-63D0-1500-00000000BB02}108C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:23.218{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1F00-00000000BB02}2000C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000077548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:24.667{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=548838471004A970D1AD7BB684C40674,SHA256=98566336C8113F450F5BF34B826DCD56B9C25CAB956385D1C557D5CEA5781CDF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:24.665{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99E-63D0-4403-00000000BA02}4716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:24.659{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4303-00000000BA02}220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:24.657{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4203-00000000BA02}8108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:24.654{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99C-63D0-4103-00000000BA02}4940C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:24.651{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F998-63D0-3F03-00000000BA02}6856C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:24.648{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F993-63D0-3A03-00000000BA02}5848C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:24.643{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F990-63D0-3703-00000000BA02}5072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:24.639{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F990-63D0-3603-00000000BA02}7836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:24.631{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3403-00000000BA02}8152C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:24.627{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3303-00000000BA02}5868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:24.625{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3203-00000000BA02}1380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:24.603{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3103-00000000BA02}7700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:24.566{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 23542300x800000000000000035032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:24.597{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=738866A52B70B05EDF8821C21E2D3702,SHA256=E42A52FC4C2E45A421EF9514D958E0B9081D4EC643FEC7BF651A77912F015F95,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:24.545{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:24.543{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A202-00000000BA02}5720C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:24.540{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A102-00000000BA02}7492C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:24.533{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F3FF-63D0-5202-00000000BA02}7716C:\Program Files\Process Hacker 2\ProcessHacker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:24.530{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED93-63D0-C200-00000000BA02}5684C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:24.502{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:24.485{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:24.446{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:24.436{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-8E00-00000000BA02}432C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:24.411{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4D-63D0-8900-00000000BA02}4888C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:24.403{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED36-63D0-8100-00000000BA02}4176C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:24.400{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED35-63D0-7F00-00000000BA02}3432C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:24.392{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED2C-63D0-7B00-00000000BA02}532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:24.388{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:24.386{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1B-63D0-4500-00000000BA02}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:24.382{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-4100-00000000BA02}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:24.381{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-3800-00000000BA02}3276C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000035031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:24.218{72106695-ED08-63D0-0D00-00000000BB02}7723960C:\Windows\system32\svchost.exe{72106695-FB5F-63D0-3102-00000000BB02}3068C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000077549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:25.683{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=781D01D1B4B2D14C29CA28FFF71D1EFA,SHA256=D7B6FC7972E622A379C4A674546F8F704BFC3ECEA1E3E67DAA1E245638DC6E03,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:22.091{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50500-false10.0.1.12-8000- 23542300x800000000000000035033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:25.672{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF61178C4957D87F994DFDFE21CACB81,SHA256=E53E48EA0198754186728EE7F7023FA016EB40995E096B3BFC7B14E288270F96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:26.780{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0311D3750D7C05EC5824D30111B7CD2E,SHA256=8BBC72DBD96B45299622B2253C67917A085ACE07E408A8AAE837F6EE9F4C3104,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:24.784{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49408-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000035053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:26.738{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28EBA6AF25DA9BF6398DA7D800273134,SHA256=BE33BD465432EA583C12E3AFB2C4D55E6D11C4A9B8B67F792957BF8D1760269D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:26.706{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=F84EC919A8AB05E36B71346E053BAE1D,SHA256=0FEF578C7D83E7DE3C7441C02A49E10138E424C58A205CCD246787946987D6BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:26.599{72106695-ED09-63D0-1F00-00000000BB02}20002816C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FCCA-63D0-5C02-00000000BB02}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D383D0) 10341000x800000000000000035050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:26.598{72106695-ED09-63D0-1F00-00000000BB02}20002816C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FCCA-63D0-5C02-00000000BB02}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D383D0) 10341000x800000000000000035049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:26.598{72106695-ED09-63D0-1F00-00000000BB02}20002816C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FCCA-63D0-5C02-00000000BB02}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D383D0) 10341000x800000000000000035048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:26.563{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FCCA-63D0-5C02-00000000BB02}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:26.563{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:26.563{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:26.563{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:26.563{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:26.563{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:26.563{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:26.563{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:26.563{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:26.563{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:26.563{72106695-ED07-63D0-0500-00000000BB02}408524C:\Windows\system32\csrss.exe{72106695-FCCA-63D0-5C02-00000000BB02}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:26.563{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FCCA-63D0-5C02-00000000BB02}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:26.564{72106695-FCCA-63D0-5C02-00000000BB02}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:26.173{72106695-ED09-63D0-2000-00000000BB02}2008NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:27.883{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35E420F69B90ABBF82FFBF122006C72E,SHA256=3D7807CB8F811832FC86E65F3B870EC1472EA10345A058001F91348A746FECBC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:27.899{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FCCB-63D0-5E02-00000000BB02}476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:27.899{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:27.899{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:27.899{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:27.899{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:27.899{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:27.899{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:27.899{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:27.899{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:27.899{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:27.899{72106695-ED07-63D0-0500-00000000BB02}4081028C:\Windows\system32\csrss.exe{72106695-FCCB-63D0-5E02-00000000BB02}476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:27.899{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FCCB-63D0-5E02-00000000BB02}476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:27.899{72106695-FCCB-63D0-5E02-00000000BB02}476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:27.821{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16A1BB4042F62431A8067DA74C5E4B2B,SHA256=C30B16CBA22393B725E029A05822C6499F8F7F4296413B66253CFF23C23BFC51,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:25.053{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50501-false10.0.1.12-8089- 23542300x800000000000000035067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:27.696{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE9C360C83C9126B9BFC86031716A60C,SHA256=18DADC74AA04B7592855A849188B0E9784B2FCBD048E4EB6D5C55BB3809F4678,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:27.238{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FCCB-63D0-5D02-00000000BB02}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:27.238{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:27.238{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:27.238{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:27.238{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:27.238{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:27.238{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:27.238{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:27.238{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:27.238{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:27.238{72106695-ED07-63D0-0500-00000000BB02}4082644C:\Windows\system32\csrss.exe{72106695-FCCB-63D0-5D02-00000000BB02}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:27.238{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FCCB-63D0-5D02-00000000BB02}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:27.238{72106695-FCCB-63D0-5D02-00000000BB02}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:28.887{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ADD375A331F0794DF1674BE4FD86927,SHA256=64C5D8CBBAB8685A14E64E2ABABE749973C4E16FC4968A472EACD12E37C1579E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:28.266{72106695-ED09-63D0-2000-00000000BB02}2008NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=DFDC55D136CC37623DE6B5C15C60D645,SHA256=D2A0E958117C8DE1B5BDECEDDC9C55B713BFE43CB8A5014B9D9BC30FB093BDAE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:28.039{72106695-FCCB-63D0-5E02-00000000BB02}4763520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000035100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:29.974{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CCC1F900E7FFE21311C01A219606C6F,SHA256=746C7C79719BF58463E747F4E409FCE6ABDC1BFACB155231C0D91F1B19F36E92,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:29.208{72106695-FCCD-63D0-5F02-00000000BB02}9641828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:29.067{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FCCD-63D0-5F02-00000000BB02}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:29.067{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:29.067{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:29.067{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:29.067{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:29.067{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:29.067{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:29.067{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:29.067{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:29.067{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:29.067{72106695-ED07-63D0-0500-00000000BB02}408524C:\Windows\system32\csrss.exe{72106695-FCCD-63D0-5F02-00000000BB02}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:29.067{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FCCD-63D0-5F02-00000000BB02}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:29.068{72106695-FCCD-63D0-5F02-00000000BB02}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000077553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:29.001{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FC42652C4AD939A920CB0A50F78D955,SHA256=B84B5F3EAB715795A202AEE9608C549687777D9FD35D7A604ACAA99E8724BA52,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:27.131{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50502-false10.0.1.12-8000- 10341000x800000000000000035114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:30.482{72106695-FCCE-63D0-6002-00000000BB02}11481184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:30.349{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FCCE-63D0-6002-00000000BB02}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:30.349{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:30.349{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:30.349{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:30.349{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:30.349{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:30.349{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:30.349{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:30.349{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:30.349{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:30.349{72106695-ED07-63D0-0500-00000000BB02}4082644C:\Windows\system32\csrss.exe{72106695-FCCE-63D0-6002-00000000BB02}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:30.349{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FCCE-63D0-6002-00000000BB02}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:30.351{72106695-FCCE-63D0-6002-00000000BB02}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000077554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:30.111{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8527A0F0C28863F4825055817FA0006A,SHA256=5605A0C24AA3408E7A3681C9FBC4FE8DAB361297E65C6E69720323BA0F513574,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:31.205{72106695-FCCF-63D0-6102-00000000BB02}17643112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000035129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:31.049{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=114FE45E5AC808423305593FE53C87D0,SHA256=16E8B0D7C36701EAD579CE54E7C504C5FCBF108BAA8573C23FB178267BEF6415,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:31.018{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FCCF-63D0-6102-00000000BB02}1764C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:31.018{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:31.018{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:31.018{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:31.018{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:31.018{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:31.018{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:31.018{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:31.018{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:31.018{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:31.018{72106695-ED07-63D0-0500-00000000BB02}4081028C:\Windows\system32\csrss.exe{72106695-FCCF-63D0-6102-00000000BB02}1764C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:31.018{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FCCF-63D0-6102-00000000BB02}1764C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:31.018{72106695-FCCF-63D0-6102-00000000BB02}1764C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000077555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:31.230{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C313FB29E5B94899D90BE93F66DE2EEE,SHA256=797CAB2AC93EBD231D1BCC7B2981A77DB1B301F146DA832835574AC2862313EA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:32.857{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FCD0-63D0-6202-00000000BB02}400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:32.857{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:32.857{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:32.857{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:32.857{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:32.857{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:32.857{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:32.857{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:32.857{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:32.857{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:32.857{72106695-ED07-63D0-0500-00000000BB02}4081028C:\Windows\system32\csrss.exe{72106695-FCD0-63D0-6202-00000000BB02}400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:32.857{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FCD0-63D0-6202-00000000BB02}400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:32.858{72106695-FCD0-63D0-6202-00000000BB02}400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:32.135{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96A757027892F54BC41C2B554F10305A,SHA256=4DCEDA5C1558885AA771F916274EC8421AF468A08EB00EC5295B7698F76C8311,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:30.719{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49409-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000077559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:32.368{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D541AB2201E7F9FD464171603CB4792,SHA256=2AF535B99DAB34AD6003D14F6AD1E2095BA6F23E32ABB7947BC5A16B5B0667E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:32.352{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED0B-63D0-1600-00000000BA02}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:32.352{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED0B-63D0-1600-00000000BA02}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:32.352{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED0B-63D0-1600-00000000BA02}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000077561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:33.383{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA6D39B4E22754206A44184E1763665D,SHA256=9842B92BA3F37CC1AA7426535737DDCFBA1AB1C996F97EC4F70A994FE16F487C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:33.954{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA30BE262F2238B997029B020DBC5554,SHA256=C5898292E5E046BF522BADF6CEC0476A7A0DBB44B404C84EFC02F8847F28A814,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:33.225{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C9CE7B5BB94D8E978C7F1E382ECC8DD,SHA256=72F8308692E581E15BEFE856CACD4EB523BBC1BA29AFF61F523E566D5A4FF11E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:34.483{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27DC3C0D2C5B377341795EA84B4DC34E,SHA256=13EEA9C9FE175006885595030D8F6F5D642FB5871D2E4464363CDB99FA09EE26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:34.298{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A246650D4469D0A2241597D3DD86B0CE,SHA256=EC4FCE0CB747FAE127413132958B1785DD46D068172D26294C3A25A865DCBC60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:35.585{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25706C0ECB76D215467B7136DE939553,SHA256=00E0E82728326E87ECC49739771DE5F0CE703CD986C9D77F8A2B07D2C1F66E66,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:33.038{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50503-false10.0.1.12-8000- 23542300x800000000000000035148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:35.378{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EB3BDBD7D4670F342825B4B7AB95A79,SHA256=CFD18F726EF53BC20A2A6EA10F9EE07EE112D5A49F28126F552D2300A7D843C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:36.885{45AAC21C-ED0A-63D0-0D00-00000000BA02}9046848C:\Windows\system32\svchost.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000077564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:36.631{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44BA7F94910413E3AE228528DCEA6562,SHA256=1E615F2C63AB002ACC355889A68F1A849A9DB5DB3746A17B4598A7DC9B264569,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:36.481{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E38422372BC3E0459008F2346ED3CF08,SHA256=2FE4F876DEC4C6AEC371D912612E3FA189C7F7980A18855BEF2E436664A8813A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:37.570{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C3B8E86E4EB2E8FBDCEAC7B605F8503,SHA256=7E94B792EF39FAB69E6ED6A94EB97273D3761326A95B9CA41AEB5BF982935481,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:35.839{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49410-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000077566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:37.733{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FF3E0738CC3E5F6E074B39047F36EC2,SHA256=2E95AED8D9B9D59DE18B136A9D66CD09243D25B03783BC0EC435991FC705CB43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:38.814{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=342845956240FA6F5DF711AB37425109,SHA256=64329B66608E6511167B34B12DE1534266CC55A75485C442F0AC5506D5DDC86B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:38.658{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D47EB572E0ABC3894895A74A7E22E56F,SHA256=D1702851CAF65DD1C060C4CCE0B3222667F98B07E2D24209234340FF7C564E27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:39.745{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=974BE049256DA035C417BFBE17EBD88E,SHA256=C203B8BAB045C7CDCA241F7624EF1B5B3F4EDC32F421BC5F9C0D8483BE5414D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:39.955{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=052D7D224A5729D1463E064737DBBDE6,SHA256=49B9D06A3354C522560AA0A176E10B7205D4CE5D6847DD1061C7222E3A310D98,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:40.992{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1200-00000000BA02}408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:40.980{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1100-00000000BA02}704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000035171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:40.998{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1A00-00000000BB02}1856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000035170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:40.991{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1800-00000000BB02}1732C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000035169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:40.981{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1700-00000000BB02}1240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000035168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:40.977{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1600-00000000BB02}1192C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000035167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:40.949{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1500-00000000BB02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000035166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:40.942{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1400-00000000BB02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 354300x800000000000000035165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:38.134{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50504-false10.0.1.12-8000- 10341000x800000000000000035164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:40.935{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1300-00000000BB02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000035163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:40.925{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1200-00000000BB02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000035162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:40.919{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1100-00000000BB02}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000035161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:40.915{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1000-00000000BB02}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000035160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:40.910{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0F00-00000000BB02}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000035159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:40.903{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0E00-00000000BB02}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000035158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:40.896{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0D00-00000000BB02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000035157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:40.891{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000035156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:40.884{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0B00-00000000BB02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000035155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:40.881{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0900-00000000BB02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 23542300x800000000000000035154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:40.825{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=303B1DA3A27D931A993C14A12CC02AA4,SHA256=5B94D7ED25B5D79343C7C22C2AAB90832F7D5C342A764BB3D569BBB3E9E4A63D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:40.948{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1000-00000000BA02}444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:40.931{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0F00-00000000BA02}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:40.921{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0E00-00000000BA02}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:40.910{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0D00-00000000BA02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:40.898{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0C00-00000000BA02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:40.826{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:40.815{45AAC21C-ED5C-63D0-A400-00000000BA02}53205468C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0900-00000000BA02}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838F10) 10341000x800000000000000077572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:40.315{45AAC21C-ED4E-63D0-9300-00000000BA02}1336888C:\Windows\Explorer.EXE{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+7d960|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF801D850B2A8)|UNKNOWN(FFFFC72308993998)|UNKNOWN(FFFFC72308993B17)|UNKNOWN(FFFFC7230898E1A1)|UNKNOWN(FFFFC7230898FB6A)|UNKNOWN(FFFFC7230898DE26)|UNKNOWN(FFFFF801D817FC03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+811bb|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd 10341000x800000000000000077571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:40.315{45AAC21C-ED4E-63D0-9300-00000000BA02}1336888C:\Windows\Explorer.EXE{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7d441|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF801D850B2A8)|UNKNOWN(FFFFC72308993998)|UNKNOWN(FFFFC72308993B17)|UNKNOWN(FFFFC7230898E1A1)|UNKNOWN(FFFFC7230898FB6A)|UNKNOWN(FFFFC7230898DE26)|UNKNOWN(FFFFF801D817FC03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+811bb|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000077570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:40.314{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF3dceef.TMPMD5=4DF8043D988875F196E7170EB48ADC55,SHA256=C4660FA4B1BB90DD96D9F3B0818855B399BF0E5C3D38653DC439DAD480C79018,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:41.671{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2E00-00000000BA02}2692C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:41.665{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:41.660{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2B00-00000000BA02}2664C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:41.276{45AAC21C-ED0A-63D0-0D00-00000000BA02}9046848C:\Windows\system32\svchost.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:41.117{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:41.108{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:41.096{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:41.085{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2700-00000000BA02}2576C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:41.083{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2600-00000000BA02}2568C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:41.073{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2500-00000000BA02}2484C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:41.068{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED14-63D0-2300-00000000BA02}2340C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:41.063{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1800-00000000BA02}1992C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:41.060{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1700-00000000BA02}1492C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:41.050{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1600-00000000BA02}1324C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 23542300x800000000000000077585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:41.041{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE997EE5D53D09A18D88643CCE749E18,SHA256=B0E63A3FFE5FB5C2EE364A194C510C7E0C9C6C3E693D88B98DB5E6B31C50C616,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:41.030{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1500-00000000BA02}1152C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:41.019{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1400-00000000BA02}344C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:41.007{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1300-00000000BA02}364C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000035184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:41.033{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FB5F-63D0-3102-00000000BB02}3068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000035183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:41.031{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED83-63D0-8200-00000000BB02}508C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000035182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:41.028{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED1B-63D0-6D00-00000000BB02}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000035181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:41.027{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000035180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:41.026{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-4000-00000000BB02}1980C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000035179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:41.024{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-3C00-00000000BB02}2964C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000035178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:41.023{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2B00-00000000BB02}2876C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000035177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:41.022{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2600-00000000BB02}2596C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000035176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:41.018{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2500-00000000BB02}2436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000035175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:41.016{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2200-00000000BB02}1172C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000035174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:41.013{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000035173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:41.004{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000035172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:41.002{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1C00-00000000BB02}1892C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 23542300x800000000000000035185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:42.216{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0B1EFE8ECC81AD6E66607D0D5254F28,SHA256=084118966C430AA7B5FE429F75BB03CB83006597576D99197AAC2FF1A54F8145,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:42.958{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FCDA-63D0-A303-00000000BA02}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:42.958{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:42.958{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:42.958{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:42.958{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:42.958{45AAC21C-ED08-63D0-0500-00000000BA02}420436C:\Windows\system32\csrss.exe{45AAC21C-FCDA-63D0-A303-00000000BA02}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000077602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:42.958{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FCDA-63D0-A303-00000000BA02}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000077601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:42.959{45AAC21C-FCDA-63D0-A303-00000000BA02}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000077600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:42.075{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3E244EFE5D911226AFA9CB87120C6F5,SHA256=2532EEBDFB8EA60F4B3FF3E2D21ABE6C8DDCAC44CCD3C0110003ABFEF24F62D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:43.303{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DA5923AEDC8395EB27B757D9E7A19DE,SHA256=12D9EE421F42E9CAC56C94A993B0310D6C2B47FCD2C4ED255AB9F1036CB260C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:41.726{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49411-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000077631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:43.854{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FCDB-63D0-A403-00000000BA02}7872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:43.854{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:43.854{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:43.854{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:43.854{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:43.854{45AAC21C-ED08-63D0-0500-00000000BA02}420788C:\Windows\system32\csrss.exe{45AAC21C-FCDB-63D0-A403-00000000BA02}7872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000077625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:43.854{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FCDB-63D0-A403-00000000BA02}7872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000077624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:43.855{45AAC21C-FCDB-63D0-A403-00000000BA02}7872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000077623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:43.714{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3300-00000000BA02}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:43.709{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3100-00000000BA02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:43.701{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2F00-00000000BA02}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:43.628{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:43.628{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:43.627{45AAC21C-ED08-63D0-0B00-00000000BA02}636308C:\Windows\system32\lsass.exe{45AAC21C-ED0A-63D0-1000-00000000BA02}444C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:43.609{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED5C-63D0-A400-00000000BA02}5320C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:43.311{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FCDA-63D0-A303-00000000BA02}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000077615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:43.311{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FCDA-63D0-A303-00000000BA02}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000077614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:43.311{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FCDA-63D0-A303-00000000BA02}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 23542300x800000000000000077613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:43.162{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B12B3DAB9C4E7EBD7BE540AAA889BED,SHA256=62D95027DC2B3E7487D8865883FD23E24F4A7674B4406DFB6097894BF555CF63,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:43.074{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FCDA-63D0-A303-00000000BA02}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:43.074{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FCDA-63D0-A303-00000000BA02}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:43.074{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FCDA-63D0-A303-00000000BA02}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:43.074{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FCDA-63D0-A303-00000000BA02}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000035187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:44.373{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6A8F4A3FDAC0223BDDB4A0FBC3D84D2,SHA256=916532691C00D06A968CB9C33B7B9FD64B79AA23814824AE1ECFD766A70CD5C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:44.517{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99E-63D0-4403-00000000BA02}4716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:44.514{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4303-00000000BA02}220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:44.511{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4203-00000000BA02}8108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:44.507{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99C-63D0-4103-00000000BA02}4940C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:44.503{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F998-63D0-3F03-00000000BA02}6856C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:44.501{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F993-63D0-3A03-00000000BA02}5848C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:44.497{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F990-63D0-3703-00000000BA02}5072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 23542300x800000000000000077672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:44.494{45AAC21C-ED18-63D0-2C00-00000000BA02}2672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=768FDB305BD52C1D85B417402EA2BA09,SHA256=1DBDC3FD1C03CB9C3D4922449EA45E5F10E9032F8A524BDFD5F0642870A8EDA4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:44.493{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F990-63D0-3603-00000000BA02}7836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:44.488{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3403-00000000BA02}8152C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:44.485{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3303-00000000BA02}5868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:44.482{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3203-00000000BA02}1380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:44.473{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3103-00000000BA02}7700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:44.467{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FCDC-63D0-A503-00000000BA02}7436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:44.460{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:44.460{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:44.459{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:44.459{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:44.458{45AAC21C-ED08-63D0-0500-00000000BA02}420788C:\Windows\system32\csrss.exe{45AAC21C-FCDC-63D0-A503-00000000BA02}7436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000077660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:44.457{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FCDC-63D0-A503-00000000BA02}7436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000077659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:44.457{45AAC21C-FCDC-63D0-A503-00000000BA02}7436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000077658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:44.438{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:44.408{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:44.406{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A202-00000000BA02}5720C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:44.404{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A102-00000000BA02}7492C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 23542300x800000000000000077654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:44.404{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=98AE5423AC8FAF31826B7DF7C4B70430,SHA256=5013E40EFBB2F4F5A1CBCE39C8B2B79F023A7F9A2C41B2E05387AC01673CAC5B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:44.398{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F3FF-63D0-5202-00000000BA02}7716C:\Program Files\Process Hacker 2\ProcessHacker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:44.395{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED93-63D0-C200-00000000BA02}5684C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:44.359{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:44.333{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:44.296{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:44.284{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-8E00-00000000BA02}432C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:44.264{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4D-63D0-8900-00000000BA02}4888C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:44.248{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED36-63D0-8100-00000000BA02}4176C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:44.246{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED35-63D0-7F00-00000000BA02}3432C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:44.240{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED2C-63D0-7B00-00000000BA02}532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 23542300x800000000000000077643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:44.237{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2666C62FEDEBF43641A5D471EF0A0A2A,SHA256=29BD3E8B118C1F7B8BD1D466EB85EDEAFBEC7217F1A799E42B03F1CC6F7AD3D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:44.235{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:44.231{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1B-63D0-4500-00000000BA02}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:44.225{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-4100-00000000BA02}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:44.225{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-3800-00000000BA02}3276C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000077638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:44.076{45AAC21C-FCDB-63D0-A403-00000000BA02}78725836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:44.076{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FCDB-63D0-A403-00000000BA02}7872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:44.076{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FCDB-63D0-A403-00000000BA02}7872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:44.076{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FCDB-63D0-A403-00000000BA02}7872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:44.076{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FCDB-63D0-A403-00000000BA02}7872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000077633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:44.054{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B224A8E12F9C418AF76C7A79B31C304,SHA256=A85F09BB52CBF7C4C5940889264100F2FF44ABD010201F4CE2B3AD2CFAB0D428,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:45.472{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F154CA23A478A1ADB5C4EA19D1195BC7,SHA256=E741C8F0F295A3A1735BEBF6AD18E975A27AFE66FE810995EC6B651C0DCBFDF9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:43.659{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local49412-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x800000000000000077681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:43.659{45AAC21C-ED18-63D0-2700-00000000BA02}2576C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local49412-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 23542300x800000000000000077680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:45.494{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4DED947CB07B1905B4DEF163D625D7F,SHA256=697DB27554416629784D987E280463F3BB8380A2A762EF5CF0CD17B884B6D41F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:46.538{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5B7D5AF4CDCF885CB0C7024B91AF787,SHA256=829A0F2FE8F702D203ED770FCFF61A8F85312B15C7051C09C1A7B30FB58EF7B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:46.564{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45B6F056543D3413EC26ABC9728BDC63,SHA256=89325F2E7FBB250796358F38951A0E9411CF43119A8B7B792FF2D0CE84C173EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:46.430{45AAC21C-FCDE-63D0-A603-00000000BA02}81886952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:46.310{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FCDE-63D0-A603-00000000BA02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000077695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:46.310{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FCDE-63D0-A603-00000000BA02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000077694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:46.310{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FCDE-63D0-A603-00000000BA02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000077693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:46.310{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FCDE-63D0-A603-00000000BA02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000077692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:46.310{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FCDE-63D0-A603-00000000BA02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000077691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:46.310{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FCDE-63D0-A603-00000000BA02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000077690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:46.230{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FCDE-63D0-A603-00000000BA02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:46.227{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:46.227{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:46.227{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:46.227{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:46.227{45AAC21C-ED08-63D0-0500-00000000BA02}420436C:\Windows\system32\csrss.exe{45AAC21C-FCDE-63D0-A603-00000000BA02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000077684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:46.226{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FCDE-63D0-A603-00000000BA02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000077683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:46.226{45AAC21C-FCDE-63D0-A603-00000000BA02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:47.643{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A10057FB8892ABAA995195FD58B0922E,SHA256=8DC368E39751C65A36CD8B3518D2FB9302E8E36B06B08EAE454CBA979299AE0C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:47.797{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FCDF-63D0-A803-00000000BA02}7212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:47.797{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:47.797{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:47.797{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:47.797{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:47.797{45AAC21C-ED08-63D0-0500-00000000BA02}420536C:\Windows\system32\csrss.exe{45AAC21C-FCDF-63D0-A803-00000000BA02}7212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000077713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:47.797{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FCDF-63D0-A803-00000000BA02}7212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000077712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:47.798{45AAC21C-FCDF-63D0-A803-00000000BA02}7212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000077711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:47.636{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9622E27B0CAA31FA64AEB69EDC9CE8B1,SHA256=C4601781290EDDDD7D8D0170A3553139F47766B2A1CAD18F32D8152CF0925FE4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:44.059{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50505-false10.0.1.12-8000- 10341000x800000000000000077710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:47.481{45AAC21C-FCDF-63D0-A703-00000000BA02}44726724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:47.327{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FCDF-63D0-A703-00000000BA02}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000077708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:47.327{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FCDF-63D0-A703-00000000BA02}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000077707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:47.327{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FCDF-63D0-A703-00000000BA02}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000077706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:47.259{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FCDF-63D0-A703-00000000BA02}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:47.259{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:47.259{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:47.259{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:47.259{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:47.259{45AAC21C-ED08-63D0-0500-00000000BA02}420780C:\Windows\system32\csrss.exe{45AAC21C-FCDF-63D0-A703-00000000BA02}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000077700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:47.259{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FCDF-63D0-A703-00000000BA02}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000077699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:47.260{45AAC21C-FCDF-63D0-A703-00000000BA02}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:48.732{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9A546C2868719D66149002D7E50908D,SHA256=A0B88DE18C760249766E7580CE4355D3F404F869492A14B02C95A6C9F7A2C22E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:48.685{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=892114BB5EC652429A169520463B99BD,SHA256=AFF2A734D7040B5908CD127A00D6A6256650E1DCB57619C460D55EBCAF59C1D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:48.014{45AAC21C-FCDF-63D0-A803-00000000BA02}72127152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000035193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:49.814{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE64BA23E3BD0435D879EDC37C0ED1EF,SHA256=BD6175140D5D0B0236427DEC1EBF8A717A903E233EF76101D3F1F2B4BFF371F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:49.936{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FCE1-63D0-A903-00000000BA02}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:49.934{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:49.934{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:49.934{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:49.934{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:49.933{45AAC21C-ED08-63D0-0500-00000000BA02}420536C:\Windows\system32\csrss.exe{45AAC21C-FCE1-63D0-A903-00000000BA02}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000077725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:49.933{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FCE1-63D0-A903-00000000BA02}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000077724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:49.933{45AAC21C-FCE1-63D0-A903-00000000BA02}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000077723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:49.763{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D3D90BC9190067D3C0CF8DB66B590B7,SHA256=1650D03BE722B36373B1B75A2C67CB0AB6B6736A5017306864B90477AE975003,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:46.800{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49413-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000035194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:50.907{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8A019F82B19E7F8BD04820F80F32BFF,SHA256=C37F83408C5610D3556E472DA02AB7CEA38E1235669857190982CBD13202D409,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:50.871{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F786700C3978CB6E1809DED6EB84E4B9,SHA256=A3F71B522FA41C420FF46BB746EC907289FD0EF5804A99E3B042D379E116836A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:50.085{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FCE1-63D0-A903-00000000BA02}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:50.085{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FCE1-63D0-A903-00000000BA02}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:50.085{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FCE1-63D0-A903-00000000BA02}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:50.085{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FCE1-63D0-A903-00000000BA02}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000035195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:51.987{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1B6C287E167C6641B9622BECC811A9F,SHA256=D86086D4962B8D24C68EDBA5E32FB3F46CAD7C125DF51CB1D89B89ECBC81F03C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:51.945{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6B3558ACCBBBD2E9DC0E8A2C0C02541,SHA256=FD73A128BDDAD06BBCEA73CF1B465B9C8C28C70FF17B115B4D686B254F59FC64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:51.036{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A9AC629D33E7305C1E41B465932D61AB,SHA256=CCF62B798504251E67974D9E96F1E895DCFDF0D446A3220A689E2DE7E6A97526,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:52.969{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55B0834D09C02C562D46D90EF2E8336B,SHA256=8B5A1F84E34EBE0D4D754365CAF3E24EE8E4E3176E7C51B74FE0082B2D9AF4AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:53.071{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=226EEFFACAFD92E8E5635DEB23266842,SHA256=51CE81F9511FCAC60FD2D281307C7B0E14907D20EAE2F6CD42F35EAB9E5FB29A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:50.020{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50506-false10.0.1.12-8000- 23542300x800000000000000035198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:54.150{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA2197B809E71A040BDC63ED5988759E,SHA256=0F6DF2EAA335B40D63D610A73087CBA4EFD5F4F9D3C15261263E65F7868A3D50,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:52.677{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49414-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000077740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:54.024{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF1AECC3ED432EA5D3302C81887CD26B,SHA256=6C27842A37E0C0308A15D85DF940678D4F184ECCFB2004A1ED2493A185526583,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:55.960{72106695-ED09-63D0-1C00-00000000BB02}1892NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\respondent-20230125084915-065MD5=4A845FE96E1CB901D2D7264E475C5D0A,SHA256=805658FE4E43678F2368D193C16F752D5AE58460E17C63B3F32526AFB5DF27A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:55.248{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ACE2BAC80E9FBA75442FA6CDA6F78BB,SHA256=B2F0B28AD9F6A0E5759E379707F0CDEAABC50E963A9C3EEFD46676E1125D9008,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:55.073{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=722CA4229585EA173CD86205EF4A3DA9,SHA256=3DC600F441E1F18991C740FABEC462773C0C3F6A9A95378A895C1B97EFCCA0A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:56.959{72106695-ED09-63D0-1C00-00000000BB02}1892NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\surveyor-20230125084913-066MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:56.330{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EB73280FF581A46477702197FE07DCF,SHA256=EA1B5FC7B4E36BEA8B047F740AE0F74F0D0C25A2CBF8B678F96DCE5A2E906A05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:56.128{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4ECE6A78D791FD02A24B7AF5396AF23,SHA256=A345EEA58D8EF350C888F0FD5C17DD9204529EE46DD8010C347405C2264CE84D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:57.400{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A779DCFDE8E60D7B73FC95DBFE89F79,SHA256=52361C3DF57922DEBDA8E2011B8EAF2AFB1332EA19008B939967B523760F0E35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:57.199{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC9C6DADA7E37801DB1D14F8686F7B80,SHA256=87393E7158A97A4564EED74F75C0DF43ED789C32F01EF2CB95E47F1FD2921212,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:58.475{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=534BBCB33472D099CEB13A88461D9117,SHA256=376257D459AAE2904E0F07C4BBEF40963C208606D1A1B817492DF6ED142D7859,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:58.427{72106695-ED09-63D0-2000-00000000BB02}2008NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=9D3895488F485E6427537EDADF170FBB,SHA256=62B4FB4EDE7737E561D328710312D48FD3E27262F84F8D69E74EA60EB2BDBFB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:58.233{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D90DCAAC6EE03CB9F3EAA39E8546931,SHA256=83686B38C73EF6B863E82C19EFF74074B0B02692C11BDA43F06CCB15DF4512C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:55.952{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50507-false10.0.1.12-8000- 23542300x800000000000000035207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:56:59.463{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF329BB7E2C968277F7E222BBE75CFB4,SHA256=2E39020BA9FA8D407C81BE36F57B4ABB393AEEAB35BC5DACBBF4A0B03BFA6B04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:59.304{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C39FB8F123A78267838C710D686039FE,SHA256=D4A83839FF706678E7C875F0644C9C6C6D97BAB81FAF684CE629178F540A5423,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:00.997{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FB5F-63D0-3102-00000000BB02}3068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000035236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:00.995{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED83-63D0-8200-00000000BB02}508C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000035235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:00.994{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED1B-63D0-6D00-00000000BB02}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000035234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:00.992{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000035233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:00.991{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-4000-00000000BB02}1980C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000035232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:00.989{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-3C00-00000000BB02}2964C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000035231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:00.989{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2B00-00000000BB02}2876C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000035230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:00.988{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2600-00000000BB02}2596C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000035229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:00.986{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2500-00000000BB02}2436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000035228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:00.984{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2200-00000000BB02}1172C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000035227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:00.981{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000035226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:00.973{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000035225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:00.972{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1C00-00000000BB02}1892C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000035224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:00.970{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1A00-00000000BB02}1856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000035223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:00.965{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1800-00000000BB02}1732C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000035222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:00.963{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1700-00000000BB02}1240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000035221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:00.954{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1600-00000000BB02}1192C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000035220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:00.936{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1500-00000000BB02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000035219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:00.929{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1400-00000000BB02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000035218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:00.924{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1300-00000000BB02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000035217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:00.917{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1200-00000000BB02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000035216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:00.912{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1100-00000000BB02}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000035215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:00.907{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1000-00000000BB02}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000035214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:00.903{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0F00-00000000BB02}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000035213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:00.896{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0E00-00000000BB02}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000035212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:00.889{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0D00-00000000BB02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000035211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:00.884{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000035210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:00.875{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0B00-00000000BB02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000035209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:00.872{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0900-00000000BB02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 23542300x800000000000000035208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:00.554{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A30BCCF54200DCE71E4046DC1B1799AA,SHA256=721A9448B7E267934D612F9A381782BFA5062D8F33192C743D6AFEDB7DEEE7AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:00.987{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1000-00000000BA02}444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000077754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:00.964{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0F00-00000000BA02}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000077753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:00.947{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0E00-00000000BA02}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000077752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:00.933{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0D00-00000000BA02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000077751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:00.916{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0C00-00000000BA02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000077750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:00.841{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000077749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:00.838{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0900-00000000BA02}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 23542300x800000000000000077748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:00.369{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B7D188F8A872BA9C57B795E36BD794C,SHA256=46AEAF144E195CCAD203E6BBF917F3807D3001BFD5C751857A3E2BE10C56A364,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:56:57.822{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49415-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000035238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:01.842{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC37C63602339017EFA10F4930BFE8E9,SHA256=73034D5E74F905A1D00BC9A4E1B80729A8E0E4306286F44A399491CA7C583C67,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:01.948{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2E00-00000000BA02}2692C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000077773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:01.945{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000077772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:01.941{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2B00-00000000BA02}2664C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 23542300x800000000000000077771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:01.435{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C60A45837255ABE6BDDCBD3D65B699D,SHA256=1D2C7D351B1F434DD2FD5EF744FC8E9596B62C0C8CFADCD762865FEF013BE94F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:01.210{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000077769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:01.199{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000077768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:01.186{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000077767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:01.178{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2700-00000000BA02}2576C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000077766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:01.176{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2600-00000000BA02}2568C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000077765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:01.165{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2500-00000000BA02}2484C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000077764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:01.159{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED14-63D0-2300-00000000BA02}2340C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000077763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:01.154{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1800-00000000BA02}1992C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000077762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:01.149{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1700-00000000BA02}1492C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000077761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:01.122{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1600-00000000BA02}1324C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000077760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:01.084{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1500-00000000BA02}1152C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000077759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:01.078{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1400-00000000BA02}344C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000077758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:01.069{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1300-00000000BA02}364C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000077757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:01.057{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1200-00000000BA02}408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000077756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:01.040{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1100-00000000BA02}704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 23542300x800000000000000035239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:02.913{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA82CFD55CA3AE2A30FF22A58BB93E10,SHA256=A718EC2BF404B30B1D7F86D061360F30004D616889F69C2AC76BB8782D6F9CAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:02.458{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04122570D004D0E6A95544AC47A1604B,SHA256=C08E2500E034BEEB5A9D6986A436965FC3A3B3E9C5E3F5736BF98AEE6FC09BD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:03.988{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45E950E3144BBAECB8A05340525281AF,SHA256=36AEC20B4748ACAE70DDDE29ED26D520565D0D6CD5506D0C68DA1D79899F3273,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:03.963{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3300-00000000BA02}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000077778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:03.961{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3100-00000000BA02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000077777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:03.958{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2F00-00000000BA02}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 23542300x800000000000000077776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:03.490{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=324B62D7CDE714621907EF64739BEAEA,SHA256=3402E417DE77A14BC8E097281E333539FAD18809F901F605481B606BCE24B407,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:04.883{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99E-63D0-4403-00000000BA02}4716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000077809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:04.878{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4303-00000000BA02}220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000077808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:04.874{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4203-00000000BA02}8108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000077807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:04.869{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99C-63D0-4103-00000000BA02}4940C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000077806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:04.862{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F998-63D0-3F03-00000000BA02}6856C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000077805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:04.855{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F993-63D0-3A03-00000000BA02}5848C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000077804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:04.846{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F990-63D0-3703-00000000BA02}5072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000077803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:04.836{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F990-63D0-3603-00000000BA02}7836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000077802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:04.823{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3403-00000000BA02}8152C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000077801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:04.818{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3303-00000000BA02}5868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000077800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:04.806{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3203-00000000BA02}1380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000077799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:04.784{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3103-00000000BA02}7700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000077798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:04.726{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000077797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:04.669{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000077796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:04.667{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A202-00000000BA02}5720C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000077795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:04.655{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A102-00000000BA02}7492C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000077794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:04.639{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F3FF-63D0-5202-00000000BA02}7716C:\Program Files\Process Hacker 2\ProcessHacker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000077793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:04.633{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED93-63D0-C200-00000000BA02}5684C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000077792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:04.587{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 23542300x800000000000000077791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:04.571{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D435F23C9FC24342FA0B90A713D40DC,SHA256=0DEF7DFFD6C06C1EE65703056A27FDD7E580F9BF882077504783BADD52FEE435,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:04.566{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000077789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:04.528{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000077788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:04.516{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-8E00-00000000BA02}432C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000077787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:04.502{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4D-63D0-8900-00000000BA02}4888C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000077786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:04.494{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED36-63D0-8100-00000000BA02}4176C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 354300x800000000000000035241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:01.153{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50508-false10.0.1.12-8000- 10341000x800000000000000077785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:04.484{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED35-63D0-7F00-00000000BA02}3432C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000077784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:04.481{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED2C-63D0-7B00-00000000BA02}532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000077783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:04.476{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000077782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:04.474{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1B-63D0-4500-00000000BA02}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000077781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:04.470{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-4100-00000000BA02}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000077780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:04.468{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-3800-00000000BA02}3276C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 23542300x800000000000000077812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:05.601{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E6B9D035C3837D398298DF93DADEA60,SHA256=050582F242272743E41720923E5EB6BCA50DD347D9E366184652753921D46E95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:05.084{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDA4EA8A8F1AF3023EEDB146E122B786,SHA256=ED21154AAAA40D85C3672B48AB17788215BACB48553FC04DD5E621656030488D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:03.677{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49416-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000077813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:06.650{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FA38336A958AC951FCC7F1C0AA2CD1C,SHA256=0414EE793C374AFE49504B7B6936F2A9F70F22D1CACABC2E3A7C9FDA45FBFE0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:06.160{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DEC90E11BC0B5B1C3A807CE97EBC936,SHA256=01A3EA5ADA4E3F81146F5D656C2C1A7296C5CB8A97E8AF5FB5DB9C8F27F4C71D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:07.700{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F684D8B817656962646A8E2179F302C,SHA256=3BB9117C704347A41110357788DB73F3AE2BF4638DA6E3EB695116A7FE6FF227,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:07.257{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C284F665B83EDE4389551ACB0FE06EF,SHA256=9F1BDE6CB917BDF4A855D9ED93C6BC3610C3BE9B6CA2FAECA3A5A1489D595116,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:08.772{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDEC6F15B10E5A3ACC39A7F7EFB9522A,SHA256=750F51B5F49705C668697C2888549D2EDDBF51AF312BAFAE017AA59DE22EB9AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:08.345{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=514BBB9E3C1FE7D7170A4A325FDF9BD8,SHA256=515D0B5EC53E2EE8924A37007E7B25F4F859CA2F5A497F877443453581C3D7E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:09.825{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=481F1E58C05EFB1B464EBF96278D8B4B,SHA256=DB4E823C9686CFC3CBA899243295382F10035F6EEEAD36BFCFD2ABE87B6BC8A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:07.132{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50509-false10.0.1.12-8000- 23542300x800000000000000035246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:09.427{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5C717633F6669C855813E710E836EFC,SHA256=19545650C84B92802A6058EAC9F98FA0A30A9D655E5789FCA4B34BCC30EAE6DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:10.885{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE83EA8C715B35066DA2BFBA238ADE2C,SHA256=92F3882076DE6A096C1A1B21FE59E15D61FB45B639B8692A08E6ED86E80F1456,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:10.495{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA259337E7FCF564AD03F2C4BCBF2DFB,SHA256=3EF298DAE4547A65CD1843E21C6042AA0520A3D2B0B11AA47362B9F1BBC76EEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:10.692{45AAC21C-ED18-63D0-2F00-00000000BA02}2700NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\respondent-20230125084931-065MD5=FB1204BD5E1FCB9F00F3D30191CDD410,SHA256=AD3DE377B45C073DC7811942D8C17D2EDF88FCE93F4C4FD49345F5808DA79585,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:11.589{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88F2B3E506EE6515F1EB0709F9E1E721,SHA256=FBB5C542B4E480EFC81303CCECC7F5076D12F5BD7F3BA7286D7A5EDD59F343FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:11.908{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8686384069E69C22551B2275CA59710C,SHA256=63AAD7DA4903850D8BAC47B5D927C5C2FD3A0F7C9718B995E0CEA8694EBC37D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:11.695{45AAC21C-ED18-63D0-2F00-00000000BA02}2700NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\surveyor-20230125084929-066MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:08.737{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49417-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000035250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:12.669{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EC873F58AA813C4BDB33E0F16CD07AA,SHA256=06D6FE9E5D8BAD378512BE23020B1D11A7CCF7462A15E42C80217BD7D7174191,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:12.995{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C545CDB2B0FF5833C40FF75F721B6646,SHA256=E96E92EDA3D50118693C5F889AE21B2E4662DA2230CEFDFC2C6DCF7CE31E6F3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:13.764{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0893D3C8611415F0B0323E70FFB9A298,SHA256=4DCB555AA54599FBBDD87F40F79970E8B45526F7F53F0406F15EAABCA2C12BE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:14.846{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5917EFF0B6EFF36CD0AA491C52ACF39,SHA256=B47CBDB7443C27D62424E0C26859E88F143DD4F0B2E8C8C3EC87B49A848A313D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:14.628{72106695-ED08-63D0-1100-00000000BB02}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E34F6303DFF876F292C38F08ECF6DD14,SHA256=BD285137563E308A3EBD99288CB20A4C97BEE2CB97FB175FF6B12128AAAEFE25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:14.614{45AAC21C-ED18-63D0-2C00-00000000BA02}2672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=2209F97ABD503D258CED56E4CBDCB3FC,SHA256=4CB7EB1139E734BAF8D3AF8E27EFC6FDA7A9443577DE79C59DD8C6257224B149,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:14.083{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=376FB1597920FF95F9795705E8C2C76A,SHA256=3E951EBE1D995F66B08EA52D6AB5DDD18BA51B93C239A1E50EDC677D61438176,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:15.935{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A55566806BC6D600CA944DACAD885973,SHA256=F3C74918DB8697D5106A94F3B75BDBF88D6A5A4EA1718C914D6FBB24761E777F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:13.011{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50510-false10.0.1.12-8000- 23542300x800000000000000077826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:15.916{45AAC21C-ED0A-63D0-1100-00000000BA02}704NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=5F0A532C7F8639E1FDC90DCF0F2DCFCD,SHA256=9994E529B0BBA7278C65FE9BF4A9F4138BA5125FCC08EA88C3A1DC84404ED4CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:15.116{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F07761D282E999A288D5194D4882270,SHA256=B6BAC1043FA5F44DAFC2D67583DED359DFBA8FC49DB9FAD7F8D524F285739100,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:16.902{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:16.902{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:16.902{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:16.902{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:16.902{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:16.902{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:16.902{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:16.902{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:16.902{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:16.902{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:16.902{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:16.902{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:16.902{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:16.902{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:16.902{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:16.902{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:16.902{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:16.902{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:16.902{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:16.902{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:16.902{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:16.902{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:16.902{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:16.902{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:16.902{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:16.902{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:16.902{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:16.902{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:16.902{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:16.902{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:16.902{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:16.902{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:16.902{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:16.902{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:16.902{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:16.902{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:16.902{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000077828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:13.831{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49418-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000077827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:16.187{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7B88FFB713AA38358C8B2208C2071CD,SHA256=5462A27C62A7E24E0E744EFF3C62DE607D0FC15BC46B0E8A2A56DB07DBFFCF53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:17.440{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0C5AAE0DBEB4B11E16203BD0AF31C9A,SHA256=6309963EEA9EF684AC6B0F1EBCDF4FB6576973BBC646775448301191957E1339,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:17.022{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABB0785174FE297C69332BF3C504D1E8,SHA256=FF2FACADA6E507B59EF18839F1360A46B9B9C7B79350B33DAF92D961513A508F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:18.546{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7F367397A9634A339064C0A2FCCE023,SHA256=A69E5F3EE3FE6BA571989F9E796EB48A6367AD1A2EA7830B6722877AA4F1C1A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:18.458{45AAC21C-ED18-63D0-2C00-00000000BA02}2672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:18.103{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96FD20E1B509DE63081D86A41654F8E1,SHA256=889DB18C41D32B7E71CDD07EDCA9A66AF7E754767D1AD297594C501D4C1538E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:19.496{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE0584530E9C23B6ACC5B4A1C05C21D0,SHA256=CB7154CC8CF40C5746D8EE237EE17013CE7769BAEA98C5C279A7192734EE4E94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:19.181{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61DF4A9F3355FC5C4016C31164247610,SHA256=4DF2D3B6BC239D7E730DCC78C938D87236AAB824751CF6C3DE2313B0F19E656D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:20.942{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1000-00000000BA02}444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:20.917{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0F00-00000000BA02}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:20.905{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0E00-00000000BA02}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:20.888{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0D00-00000000BA02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:20.876{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0C00-00000000BA02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:20.813{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:20.810{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0900-00000000BA02}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 23542300x800000000000000077871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:20.527{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEA62A53AF973DC275D526BE7D53154C,SHA256=AA3A2094E6097E3C3D6CDC41DEEC07F8E5AEF07926AE0A6A5486230AD6EC4B74,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:18.078{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49419-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 10341000x800000000000000035287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:20.997{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED1B-63D0-6D00-00000000BB02}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:20.996{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:20.995{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-4000-00000000BB02}1980C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:20.993{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-3C00-00000000BB02}2964C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:20.992{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2B00-00000000BB02}2876C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:20.991{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2600-00000000BB02}2596C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:20.989{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2500-00000000BB02}2436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:20.987{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2200-00000000BB02}1172C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:20.983{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:20.975{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:20.973{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1C00-00000000BB02}1892C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:20.971{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1A00-00000000BB02}1856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:20.965{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1800-00000000BB02}1732C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:20.964{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1700-00000000BB02}1240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:20.953{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1600-00000000BB02}1192C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:20.933{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1500-00000000BB02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:20.926{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1400-00000000BB02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:20.921{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1300-00000000BB02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:20.915{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1200-00000000BB02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:20.909{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1100-00000000BB02}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:20.903{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1000-00000000BB02}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:20.898{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0F00-00000000BB02}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:20.895{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0E00-00000000BB02}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000035264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:20.892{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0D00-00000000BB02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000035263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:20.890{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000035262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:20.887{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0B00-00000000BB02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000035261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:20.885{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0900-00000000BB02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 354300x800000000000000035260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:18.077{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50511-false10.0.1.12-8000- 23542300x800000000000000035259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:20.258{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0280E1753092D1151583146C950FCF39,SHA256=7C2762CAD22D60F97D25A8E4E8E5202F09967193951F7413598D8B72DB38B33D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:21.720{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2E00-00000000BA02}2692C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:21.709{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:21.704{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2B00-00000000BA02}2664C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 23542300x800000000000000077895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:21.568{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3B1D9E3F50259F927F535310F5F8F42,SHA256=1B93059FBD1E3CB155C3BE04FE03ED424457B591BF99623FB0D05E4F2D71E1A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:19.698{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49420-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000035290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:21.419{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C03CCFC62320FD45628097F0FA8F834C,SHA256=7C3267B21374CEE34768DED44D09F3F6859D054F3301E463C2DE7D75A5B1AA0A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:21.155{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:21.146{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:21.134{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:21.120{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2700-00000000BA02}2576C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:21.117{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2600-00000000BA02}2568C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:21.105{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2500-00000000BA02}2484C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:21.099{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED14-63D0-2300-00000000BA02}2340C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:21.093{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1800-00000000BA02}1992C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:21.086{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1700-00000000BA02}1492C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:21.075{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1600-00000000BA02}1324C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:21.058{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1500-00000000BA02}1152C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:21.049{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1400-00000000BA02}344C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:21.032{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1300-00000000BA02}364C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:21.018{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1200-00000000BA02}408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:21.004{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1100-00000000BA02}704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000035289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:21.002{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FB5F-63D0-3102-00000000BB02}3068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:21.000{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED83-63D0-8200-00000000BB02}508C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 23542300x800000000000000077899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:22.531{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D5195B52496E995F27E023FC98B8FC2,SHA256=CCB21431D35795271E4BC41000C8B9BE7309893A7F9FD446F585206D48DBA02B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:22.430{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F3640DF618AC6599165BADDC3F6F09F,SHA256=C29BEC3AF64A2F687964E8C145A2660D136DFD00AF5AFCA4761EFCE5CE60AD6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:23.738{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3300-00000000BA02}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:23.735{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3100-00000000BA02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:23.732{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2F00-00000000BA02}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 23542300x800000000000000077900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:23.632{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8099C53BAD223334646B79F9C691818,SHA256=16FB1FB66C6550C6B129C212EB30A4B0CB78A411D0EA41F4AF92DEE4AC311A68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:23.509{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CC12DABE876B58E3F74BCB65687C3A2,SHA256=4B642010BC043B54D7DBC79332BF7D4643D4B65F16EBE170106BCF6484928A31,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:23.218{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1F00-00000000BB02}2000C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:24.642{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99E-63D0-4403-00000000BA02}4716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:24.639{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4303-00000000BA02}220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:24.635{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4203-00000000BA02}8108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 23542300x800000000000000035294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:24.591{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D1BEEB4767EB12C522BCBBEFC1D4851,SHA256=3701CB03852578E5E0AA6DBBB769C5C1852E89F17F1DA291D19422D0C08753B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:24.631{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99C-63D0-4103-00000000BA02}4940C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:24.627{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F998-63D0-3F03-00000000BA02}6856C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:24.625{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F993-63D0-3A03-00000000BA02}5848C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:24.618{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F990-63D0-3703-00000000BA02}5072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:24.609{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F990-63D0-3603-00000000BA02}7836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:24.599{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3403-00000000BA02}8152C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:24.592{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3303-00000000BA02}5868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:24.586{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3203-00000000BA02}1380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:24.571{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3103-00000000BA02}7700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:24.508{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:24.475{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:24.472{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A202-00000000BA02}5720C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:24.467{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A102-00000000BA02}7492C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:24.453{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F3FF-63D0-5202-00000000BA02}7716C:\Program Files\Process Hacker 2\ProcessHacker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:24.445{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED93-63D0-C200-00000000BA02}5684C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:24.404{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:24.372{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:24.314{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:24.303{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-8E00-00000000BA02}432C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:24.286{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4D-63D0-8900-00000000BA02}4888C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:24.278{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED36-63D0-8100-00000000BA02}4176C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:24.274{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED35-63D0-7F00-00000000BA02}3432C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:24.271{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED2C-63D0-7B00-00000000BA02}532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:24.265{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:24.261{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1B-63D0-4500-00000000BA02}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:24.257{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-4100-00000000BA02}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000077904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:24.256{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-3800-00000000BA02}3276C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 354300x800000000000000035296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:23.132{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50512-false10.0.1.12-8000- 23542300x800000000000000035295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:25.681{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=417F3C0612CFAABFAE00E394BAF5ED3D,SHA256=4435CF6B3F0725F2648D968357DF514BBDC96F9490FBF4F8DDFFA491D288B9F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:25.737{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CED7B361703AABC5938E3D3BDE38E67F,SHA256=848E8D42CDEE8C7374C1BF5DBB0FB39363ECC53FBA173FF72387C937E2D978C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:25.107{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAB8A1246D7076F00B4319F374EABFDD,SHA256=903FE49B5CA710983A037702617A98A4465B4291F17825507C227E84E61B9441,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:26.789{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA1EF0BD037408E1714D16DF0F2DD237,SHA256=AAA739414204A0DD31A83744D017138723FA4136C64778EC7F9AAB1CFE7B9010,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:26.772{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1658294D4D9392848EDD69BDCF5F7A5,SHA256=10A0C7300F741D93EA6CE926B6C245BBB4BCBF2C15CF311CE4AE684D36C916BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:26.569{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FD06-63D0-6302-00000000BB02}3444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:26.569{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:26.569{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:26.569{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:26.569{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:26.569{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:26.569{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:26.569{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:26.569{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:26.569{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:26.569{72106695-ED07-63D0-0500-00000000BB02}408524C:\Windows\system32\csrss.exe{72106695-FD06-63D0-6302-00000000BB02}3444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:26.569{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FD06-63D0-6302-00000000BB02}3444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:26.569{72106695-FD06-63D0-6302-00000000BB02}3444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:26.197{72106695-ED09-63D0-2000-00000000BB02}2008NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:24.770{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49421-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000035342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:27.868{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8523963218D64789B1AA7E1D8A69D497,SHA256=0E3F67FF4A1E8C73A0E7A30B8DF129CF5DE07571AB7650FEFF4AFDEB5AAA1C85,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:25.078{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50513-false10.0.1.12-8089- 23542300x800000000000000077938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:27.826{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99ADB1D9AB62E27E75F4EFE04E0DA2E8,SHA256=9753FFAB7AAC78CB043C8CF30942B43A1CB2C8E0247B6F575B1A541751ABDA6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:27.774{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FD07-63D0-6502-00000000BB02}2708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:27.774{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:27.774{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:27.774{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:27.774{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:27.774{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:27.774{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:27.774{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:27.774{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:27.774{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:27.774{72106695-ED07-63D0-0500-00000000BB02}4081028C:\Windows\system32\csrss.exe{72106695-FD07-63D0-6502-00000000BB02}2708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:27.774{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FD07-63D0-6502-00000000BB02}2708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:27.776{72106695-FD07-63D0-6502-00000000BB02}2708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:27.634{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=77DA38727514CFC59C2F171BF0839645,SHA256=8E58A145FA4B9708E959FF47CB3B5A0A5522D76083D61283ECD3275CFA185AEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:27.618{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=D0B5D509BD76AA16ED6E9A9D00F6BCAB,SHA256=9715ABD1F413E04B2D4012674D2202B2CABA7E7B65CB24C1579051948F35664C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:27.381{72106695-FD07-63D0-6402-00000000BB02}28481640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:27.241{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FD07-63D0-6402-00000000BB02}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:27.241{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:27.241{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:27.241{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:27.241{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:27.241{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:27.241{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:27.241{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:27.241{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:27.241{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:27.241{72106695-ED07-63D0-0500-00000000BB02}408524C:\Windows\system32\csrss.exe{72106695-FD07-63D0-6402-00000000BB02}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:27.241{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FD07-63D0-6402-00000000BB02}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:27.241{72106695-FD07-63D0-6402-00000000BB02}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000035357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:28.981{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FD08-63D0-6602-00000000BB02}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:28.981{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:28.981{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:28.981{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:28.981{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:28.981{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:28.981{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:28.981{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:28.981{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:28.981{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:28.981{72106695-ED07-63D0-0500-00000000BB02}408424C:\Windows\system32\csrss.exe{72106695-FD08-63D0-6602-00000000BB02}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:28.981{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FD08-63D0-6602-00000000BB02}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:28.982{72106695-FD08-63D0-6602-00000000BB02}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:28.919{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A56CB2F9A0E81B93E2703E1B040E7724,SHA256=4F440623D40CE5B9E26C304DCBC5CE6D84975F3D86CD0C332ECB3057881D9CBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:28.897{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F21242D7529D3D5F215E9370BDBFAF79,SHA256=69F98B53592E350D75962952A025F6E5F30FD3AC20963030135A4F8DAC8DE3C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:28.622{72106695-ED09-63D0-2000-00000000BB02}2008NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=9B4DA2A91DC753FFF1DD07A8E564B560,SHA256=D08DE4B8D7D7C60A957B9B3D431AD6D399DC9ECD80B7D35F944373E3FE7FFC4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:29.931{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDB8939B704E50501444B536B1BC0444,SHA256=FCFCBB9142E802B11D6D034395FFAB7087F25A7C6C21B80F816C8DFAE4D58BC0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:29.145{72106695-FD08-63D0-6602-00000000BB02}1320832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:30.925{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FD0A-63D0-6802-00000000BB02}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:30.925{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:30.925{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:30.925{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:30.925{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:30.925{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:30.925{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:30.925{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:30.925{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:30.925{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:30.925{72106695-ED07-63D0-0500-00000000BB02}408524C:\Windows\system32\csrss.exe{72106695-FD0A-63D0-6802-00000000BB02}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:30.925{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FD0A-63D0-6802-00000000BB02}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:30.926{72106695-FD0A-63D0-6802-00000000BB02}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000035373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:30.396{72106695-FD0A-63D0-6702-00000000BB02}5963696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:30.256{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FD0A-63D0-6702-00000000BB02}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:30.256{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:30.256{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:30.256{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:30.256{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:30.256{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:30.256{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:30.256{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:30.256{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:30.256{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:30.256{72106695-ED07-63D0-0500-00000000BB02}408424C:\Windows\system32\csrss.exe{72106695-FD0A-63D0-6702-00000000BB02}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:30.256{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FD0A-63D0-6702-00000000BB02}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:30.257{72106695-FD0A-63D0-6702-00000000BB02}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:30.006{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50A6C3E92BC6EC7274E2732ED99E6428,SHA256=67E626B3DA5958306A1EF81A398B7166481892DBDE067FC71C69047E48924BE8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:28.980{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50514-false10.0.1.12-8000- 23542300x800000000000000035388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:31.394{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF00AF575A6E9386D07110FA8633A5C3,SHA256=8F57D6077CBD22AD180DACC264716E3E295CAF790E9F57B7C1641942445F5314,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:31.066{72106695-FD0A-63D0-6802-00000000BB02}2172304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000077942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:29.858{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49422-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000077941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:31.003{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58ED47A18D53B326F6DE0863471AB827,SHA256=249ABB3726B09FEF352DDA817CD67E78B6FAFFCCBC65280A10E3D84FCF267AFE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:32.873{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FD0C-63D0-6902-00000000BB02}3776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:32.871{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:32.871{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:32.871{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:32.871{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:32.871{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:32.871{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:32.870{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:32.870{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:32.870{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:32.870{72106695-ED07-63D0-0500-00000000BB02}408424C:\Windows\system32\csrss.exe{72106695-FD0C-63D0-6902-00000000BB02}3776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:32.870{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FD0C-63D0-6902-00000000BB02}3776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:32.870{72106695-FD0C-63D0-6902-00000000BB02}3776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:32.181{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1997D2D4DFA4C021A9752E7129ED3FF,SHA256=CB72ABF6191AE2B86C4871CCDAB98B765A6B26C557A7930C9F9F1727C73EE46D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:32.037{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4323008969E912BB004BB5DA35B3364,SHA256=3B51C5A2A15965C9142AF99A784AF81066FAD6B27103D9F25891A9B0961F45B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:33.077{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D73A292BA021788640BCDD7D327ACCF1,SHA256=C090603B63314374F58AAB3E80F00A6F8A8907F8279E0CEA78A043EE741A6C39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:33.920{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A99EE3127711589EF623273DF96CF948,SHA256=00430D1F99D0726A04EA872C46835892DC7CA0F232600A8EC99EAAA1589BB291,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:33.256{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21AC5C67FFC31BFADE3DB339389A67CA,SHA256=D29BF74A625462BA5A563FB346B513B4800B863A676E06359C64B6A32091D020,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:34.156{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C37AA304A86FBCAC1272A2EE153A31C1,SHA256=6A2E6818FEB8F2ABF75CB4EAE2969E98A95B7AA7ED54B98E1AEECD13849855D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:34.349{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D502CEA832611C4795BD9D6CA9D89F5,SHA256=97697C98E65DC80E92862BF6182BBB0EBC1C1795D5914579EE7892C061B6CEBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:35.228{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=102D6ADC96C451326C3308D3F4EA8D1D,SHA256=2F560EE3D755E6F23BD3C847AAFB27AFEFA873CD8892C8D0CE8788A3DE24B26A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:35.423{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36BC2568FA5BECCDA759FAC2CC87C023,SHA256=F090992E950B4C276C88DDFF3F41A207DBADA1FAD3414396795ED26E6B8D1D8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:36.260{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCDE2C851DCB79145E136B4F11E38BB2,SHA256=DC18B94359E9FE257838021255C444F6E3C526614FDA740044ED0BF4DF22E4C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:34.132{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50515-false10.0.1.12-8000- 23542300x800000000000000035408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:36.516{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59D3F4BFC246690D31F8573447463406,SHA256=B9784E5000245F0537A920303A14D9A6478FFB3DDBFCF4E8081702738A7C2084,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000077949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:35.795{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49423-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000077948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:37.315{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D79FB894C4EE45C15F661ACB6B1B3335,SHA256=25C45417FCA4ACC76F95C875C4CEA6657A2009AEB224A0163BD63AE687A17EF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:37.612{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94F7F70936E714E473255C8B8116A337,SHA256=ABE8EB44C95B445DD0BBB2BBECF38CC3D2961B1075EC014973382C6CA9CB1649,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:38.699{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=246D7CE6D40EB07E4F0C45079BE72E28,SHA256=E4CBB63D9F95876D07F5604327B0E17A9A3D5955A151415B282B08F5F78C0B21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:38.348{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AADF6A2C469BD52610B156954AE7D44,SHA256=FED782D546508999A0937EC177B9CE55589B3AD0286984CAB8522031CACF517B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:39.788{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB93BBB9F2ADF4917E7635F82CB67E80,SHA256=33175A77252139978E2DAB49FF8AF51789BB5D750882024E429F91B6A8060B31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000077951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:39.404{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA5AC809051870FC9118C6CF1F422A6F,SHA256=0DDCFE7384A57F658B61F5D65E39B4320A11803A9F4795CAE55B254F3DF3A7F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:40.998{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2200-00000000BB02}1172C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:40.994{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:40.985{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:40.983{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1C00-00000000BB02}1892C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:40.981{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1A00-00000000BB02}1856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:40.975{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1800-00000000BB02}1732C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:40.973{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1700-00000000BB02}1240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:40.962{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1600-00000000BB02}1192C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:40.943{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1500-00000000BB02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:40.936{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1400-00000000BB02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:40.930{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1300-00000000BB02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:40.922{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1200-00000000BB02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:40.916{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1100-00000000BB02}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:40.911{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1000-00000000BB02}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:40.906{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0F00-00000000BB02}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:40.896{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0E00-00000000BB02}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:40.890{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0D00-00000000BB02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:40.882{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:40.876{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0B00-00000000BB02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:40.874{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0900-00000000BB02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 23542300x800000000000000035413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:40.867{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C8452200D8571A280EBA8B660A730A9,SHA256=23CCC796F6D5481D0B9F81FF90F762D64C799EB3E7E05E1B9436D26EC70264C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:40.990{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1700-00000000BA02}1492C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:40.982{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1600-00000000BA02}1324C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:40.969{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1500-00000000BA02}1152C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:40.961{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1400-00000000BA02}344C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:40.952{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1300-00000000BA02}364C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:40.942{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1200-00000000BA02}408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:40.934{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1100-00000000BA02}704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:40.885{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1000-00000000BA02}444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:40.868{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0F00-00000000BA02}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:40.860{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0E00-00000000BA02}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:40.851{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0D00-00000000BA02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:40.837{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0C00-00000000BA02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:40.812{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:40.811{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0900-00000000BA02}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 23542300x800000000000000077952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:40.469{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=410ADA8C79184FC8CB01968032A1AD43,SHA256=154D59EFA9D482A278E8A6352223BBA4EB23C0ABF33C74DF65C7C53DB9461462,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:41.617{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2E00-00000000BA02}2692C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:41.607{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:41.601{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2B00-00000000BA02}2664C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 23542300x800000000000000077975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:41.516{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B3533CEEB84426B69CA8E23BF69F9E2,SHA256=884B96B3321422AC9EEE3520934E0DF5E3C83BE8C1C829FAC68DA0D17706225F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:41.015{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FB5F-63D0-3102-00000000BB02}3068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:41.010{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED83-63D0-8200-00000000BB02}508C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:41.008{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED1B-63D0-6D00-00000000BB02}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:41.006{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:41.005{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-4000-00000000BB02}1980C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:41.003{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-3C00-00000000BB02}2964C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:41.002{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2B00-00000000BB02}2876C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:41.001{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2600-00000000BB02}2596C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:40.999{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2500-00000000BB02}2436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000077974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:41.053{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:41.044{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:41.030{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:41.021{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2700-00000000BA02}2576C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:41.018{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2600-00000000BA02}2568C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:41.010{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2500-00000000BA02}2484C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:41.005{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED14-63D0-2300-00000000BA02}2340C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:41.002{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1800-00000000BA02}1992C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000077987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:42.972{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FD16-63D0-AA03-00000000BA02}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:42.972{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:42.972{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:42.972{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:42.972{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:42.972{45AAC21C-ED08-63D0-0500-00000000BA02}420788C:\Windows\system32\csrss.exe{45AAC21C-FD16-63D0-AA03-00000000BA02}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000077981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:42.972{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FD16-63D0-AA03-00000000BA02}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000077980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:42.973{45AAC21C-FD16-63D0-AA03-00000000BA02}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000077979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:42.571{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DE2ABF225E8078F76A7C249B47212DD,SHA256=46EF0213F5F8D48EDAC7CDAACF80BFBFFEE3484BED71976A854617619F9CD9AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:42.049{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E65E0D436F1BA6FC695FC950A8A64B4,SHA256=0D0F0515670ECDBDA9DFD9F45ED336B3F87F52B773F3ACDB87B57FE4D02BD34E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:43.992{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF7747CA77C0D80210ED2A10940B444E,SHA256=EE57259C752172F324B1E10FAB3640EE29190AD500865E3876E53B7C702A8BA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:43.945{45AAC21C-ED18-63D0-2C00-00000000BA02}2672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=6E09A2314831EAFFB7A2576CC860ED6D,SHA256=9E8A7340C9C0674618FC8A4BDB37BA3FFE7C38B0DC56F27567B2445B6E1464B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:43.875{45AAC21C-FD17-63D0-AB03-00000000BA02}70806532C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000078008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:40.881{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49424-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000078007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:43.657{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3300-00000000BA02}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:43.655{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3100-00000000BA02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:43.653{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2F00-00000000BA02}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 23542300x800000000000000078004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:43.636{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42E02BFF9E6BE96F5E650DF1048B762E,SHA256=6C54408BD1F2C4AD1D455214CDD962788A2992EE0348E1841B7B3B641C12082F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:43.632{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FD17-63D0-AB03-00000000BA02}7080C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:43.630{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:43.630{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:43.630{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:43.629{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:43.629{45AAC21C-ED08-63D0-0500-00000000BA02}420788C:\Windows\system32\csrss.exe{45AAC21C-FD17-63D0-AB03-00000000BA02}7080C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000077997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:43.629{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FD17-63D0-AB03-00000000BA02}7080C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000077996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:43.629{45AAC21C-FD17-63D0-AB03-00000000BA02}7080C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000077995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:43.617{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:43.617{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:43.617{45AAC21C-ED08-63D0-0B00-00000000BA02}636812C:\Windows\system32\lsass.exe{45AAC21C-ED0A-63D0-1000-00000000BA02}444C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:43.599{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED5C-63D0-A400-00000000BA02}5320C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000035444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:43.129{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75BFC7EFA18DE3C23EF13D2DE4506EF5,SHA256=ED0C0915A687F9B3D38ED8EC928D1CE03E783D8BB807C057955100D17A5A21D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000077991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:43.073{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FD16-63D0-AA03-00000000BA02}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:43.073{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FD16-63D0-AA03-00000000BA02}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:43.073{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FD16-63D0-AA03-00000000BA02}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:43.073{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FD16-63D0-AA03-00000000BA02}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000078052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:44.715{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C24AF4D37259FAB09D489F85393DC4B,SHA256=BE287D00DCB340D3808B4262D7D68C84FE975DA4FC5EDD6BFC364B800A5A36B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:40.017{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50516-false10.0.1.12-8000- 23542300x800000000000000035445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:44.209{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5539D440C3F7A02764466C821D9EC46C,SHA256=72FB232B7845A272A513B3D7E25039185E3080003F7BA611EA50A67D54ABC57D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:44.530{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3895E76FFF0B32DCB100513EF79C2DB6,SHA256=4BB55B3437BFF5E3753BD0690393883F7F719B46C6E2D5DF5F07A31D249C8901,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:44.450{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99E-63D0-4403-00000000BA02}4716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:44.443{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4303-00000000BA02}220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:44.440{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4203-00000000BA02}8108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:44.436{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99C-63D0-4103-00000000BA02}4940C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:44.427{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F998-63D0-3F03-00000000BA02}6856C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:44.425{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F993-63D0-3A03-00000000BA02}5848C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:44.418{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F990-63D0-3703-00000000BA02}5072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:44.411{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F990-63D0-3603-00000000BA02}7836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:44.405{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3403-00000000BA02}8152C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:44.398{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3303-00000000BA02}5868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:44.390{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3203-00000000BA02}1380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:44.380{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3103-00000000BA02}7700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:44.344{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:44.318{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:44.316{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A202-00000000BA02}5720C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:44.314{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A102-00000000BA02}7492C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:44.310{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F3FF-63D0-5202-00000000BA02}7716C:\Program Files\Process Hacker 2\ProcessHacker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:44.310{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FD18-63D0-AC03-00000000BA02}7616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:44.309{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:44.309{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:44.308{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:44.308{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:44.307{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED93-63D0-C200-00000000BA02}5684C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:44.307{45AAC21C-ED08-63D0-0500-00000000BA02}420536C:\Windows\system32\csrss.exe{45AAC21C-FD18-63D0-AC03-00000000BA02}7616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000078026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:44.307{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FD18-63D0-AC03-00000000BA02}7616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000078025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:44.307{45AAC21C-FD18-63D0-AC03-00000000BA02}7616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000078024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:44.280{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 23542300x800000000000000078023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:44.280{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=CBE934A3DF6502F634217F8217396C71,SHA256=32152B8AE42BB8DB9C0A4B9E32AACE64A80DB129E19ABF7A52CC4E730AA35845,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:44.264{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:44.214{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:44.204{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-8E00-00000000BA02}432C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:44.187{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4D-63D0-8900-00000000BA02}4888C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:44.180{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED36-63D0-8100-00000000BA02}4176C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:44.176{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED35-63D0-7F00-00000000BA02}3432C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:44.171{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED2C-63D0-7B00-00000000BA02}532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:44.168{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:44.167{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1B-63D0-4500-00000000BA02}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:44.163{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-4100-00000000BA02}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:44.162{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-3800-00000000BA02}3276C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 23542300x800000000000000078055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:45.781{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E1A9786F0A91CF389499C3F8003E7FC,SHA256=9B0048BBC5C737A9AAF6614F2152DB59B2FD0E620CC3C4DC1B2FE96E9D4B6809,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:45.292{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D719CB015F54FCD3E92B2B4BABFF4AB,SHA256=F4E48DD3FDD7C0CFE4EA2B972DB37063BD1C3EE249F0287820AF6AF7FD26745D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000078054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:43.680{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local49425-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x800000000000000078053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:43.680{45AAC21C-ED18-63D0-2700-00000000BA02}2576C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local49425-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 23542300x800000000000000078068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:46.838{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B07BB938279D2E133E2AB1DEA3BC9267,SHA256=2F46D9185E46957B3430AAD7F390A7D12746C10318B9C7243622BFEBD507A2C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:46.394{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF25ED602A95B98DB844D39AA0B2B42A,SHA256=A22C1B5BCB5892BF4919402DFECB97D668F37F6B1CD532C25BBEA89E441CA5EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:46.499{45AAC21C-FD1A-63D0-AD03-00000000BA02}61887544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:46.280{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FD1A-63D0-AD03-00000000BA02}6188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000078065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:46.280{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FD1A-63D0-AD03-00000000BA02}6188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000078064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:46.280{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FD1A-63D0-AD03-00000000BA02}6188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000078063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:46.232{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FD1A-63D0-AD03-00000000BA02}6188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:46.232{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:46.232{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:46.232{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:46.232{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:46.232{45AAC21C-ED08-63D0-0500-00000000BA02}420780C:\Windows\system32\csrss.exe{45AAC21C-FD1A-63D0-AD03-00000000BA02}6188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000078057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:46.232{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FD1A-63D0-AD03-00000000BA02}6188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000078056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:46.233{45AAC21C-FD1A-63D0-AD03-00000000BA02}6188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000078086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:47.955{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FD1B-63D0-AF03-00000000BA02}6524C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:47.955{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:47.955{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:47.955{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:47.955{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:47.955{45AAC21C-ED08-63D0-0500-00000000BA02}420788C:\Windows\system32\csrss.exe{45AAC21C-FD1B-63D0-AF03-00000000BA02}6524C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000078080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:47.955{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FD1B-63D0-AF03-00000000BA02}6524C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000078079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:47.956{45AAC21C-FD1B-63D0-AF03-00000000BA02}6524C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000078078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:47.907{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BED59A1F09E6323E62D433A19056FBE5,SHA256=C2105954DC35482A804CCE945D6CD1C777DAAA60EA4BD07096B316367D8A83EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:47.592{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A5D85B8FE48A43300FB31D37E0C3E3C,SHA256=1964AC795F9AFF47B852581F45F30E93CC5C4BEEDAC9335383244B06CF60CE5F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:47.516{45AAC21C-FD1B-63D0-AE03-00000000BA02}78206740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:47.275{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FD1B-63D0-AE03-00000000BA02}7820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:47.272{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:47.271{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:47.271{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:47.271{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:47.271{45AAC21C-ED08-63D0-0500-00000000BA02}420780C:\Windows\system32\csrss.exe{45AAC21C-FD1B-63D0-AE03-00000000BA02}7820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000078070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:47.270{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FD1B-63D0-AE03-00000000BA02}7820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000078069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:47.270{45AAC21C-FD1B-63D0-AE03-00000000BA02}7820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:48.661{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=387193D01CC9507FDF7D6868B8A947E2,SHA256=26C2097EFAB8F32C577BBF3FE1D4F91B2D5CC1FB8A90C2BBB2858EBF87957199,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000078092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:46.750{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49426-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000078091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:48.186{45AAC21C-FD1B-63D0-AF03-00000000BA02}65244356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:48.070{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FD1B-63D0-AF03-00000000BA02}6524C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:48.070{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FD1B-63D0-AF03-00000000BA02}6524C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:48.070{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FD1B-63D0-AF03-00000000BA02}6524C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:48.070{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FD1B-63D0-AF03-00000000BA02}6524C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000035452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:49.731{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5436D03B0F338B015F77C98570304A8,SHA256=96FF38BD293800D6C8CCB9EDA1D1A1E74B4577A1238DA619B3B22FD3B9039379,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:49.936{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FD1D-63D0-B003-00000000BA02}6796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:49.936{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:49.936{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:49.936{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:49.936{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:49.936{45AAC21C-ED08-63D0-0500-00000000BA02}420788C:\Windows\system32\csrss.exe{45AAC21C-FD1D-63D0-B003-00000000BA02}6796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000078095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:49.936{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FD1D-63D0-B003-00000000BA02}6796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000078094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:49.937{45AAC21C-FD1D-63D0-B003-00000000BA02}6796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000078093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:49.056{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85CAF9D1B223D02D96600BB66C19B373,SHA256=88BA63C110958D25FFD0EF23E7B0D78191D09C563159A17D4FE56D46CAF4070B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:45.954{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50517-false10.0.1.12-8000- 23542300x800000000000000035453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:50.825{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=710AE21990CEC5D5E2715E3AA9819E2F,SHA256=846DAC6C46043CF1CA251E8E7D349CCB0FE1388C228710138311A5BB3ED75335,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:50.113{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=396C5700BED2146C66C7702348365CFB,SHA256=A7305AE1715FBAD03543B58C5960342B43FB6BF20E99F5040EA70AA654C5A150,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:50.073{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FD1D-63D0-B003-00000000BA02}6796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:50.073{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FD1D-63D0-B003-00000000BA02}6796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:50.073{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FD1D-63D0-B003-00000000BA02}6796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:50.073{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FD1D-63D0-B003-00000000BA02}6796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000035454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:51.900{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0373457058AE1C79851E98F503C355EC,SHA256=3BF86BA411F00D20C586664202087E235109719F0E6C9859DEAF4FD06084CEC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:51.876{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ilosieif.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=8AFB1A691EC4A91E1A4BC348DE12EFDE,SHA256=DDDB2C2F695F762BE77D36967FBEB490B83B646570420860422567E7C5C3602D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:51.175{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=291B491D74BA60262CDE0C0373BF2737,SHA256=9C0F93F719A53F39CA53FEED6041BA9D0C513E2DD4236CFACA888B366E4E3E2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:51.021{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B55E87D73C67CDDDF60A7356DC1F340E,SHA256=1FDD1995D4DDBD81D92C56251CE21E7DF105C1CD2694CFE63985C490371E7B91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:52.965{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C932C3F98B33C2DA04CA60BDA3134418,SHA256=B4E984E4D6FBC10E5C68AF254AE59955628D7EECF8B5AB97493D5E8330359233,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:52.261{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FC5BD5BF50DCA9448352595651692C9,SHA256=F1C6F30F1D82CAC2B20D810607AA27EE0AFE12B826A7A12FF8761DF55110763A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000078112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:51.896{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49427-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000078111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:53.347{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5591B5913AB1F68561F8FC244CDEE76,SHA256=3DD1A801010C16CA36DE9CC2B7BA2C85F47541D0752E3B9442339CEE1F55ED14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:54.383{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DB6565B0BA74AAB127128BDBD5EF27C,SHA256=F30055D98EA90279DEC03FF3CEA4F96B4C10EE5257A8A33281D092B79A683170,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:54.051{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E8A486FF97C13D8839463ACF632C067,SHA256=C8F2AAD8BFABDC7BE6A47C7E36ED7B9CB7678E4CE80D1494ACCC2893E7D55E9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:55.429{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7694ABADDB87EB33A89D4A87FD578361,SHA256=542FFC5920C2476D891000EFE1CD2CF26892895BC08DD1D9E65B8020E2757B09,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:51.072{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50518-false10.0.1.12-8000- 23542300x800000000000000035457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:55.145{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BEC4C80A022872405DE467270834BBE,SHA256=8354459E39023C94F5286008540D7014E702D45A11C519506366A9F394283110,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:56.484{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E24161D1A257D0672A930BD46F91D663,SHA256=9EA1EF3C0C9B0647C5B7BE7FA09E6BD4609827E39D980C639B88E64D89F9B937,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:56.221{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=662F780DCC11BDAD4812F202DDA0DE34,SHA256=C8ED801B688FDFB4226F27E52C779847302DAC71E2322F019BA6A07DC7F184BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:57.533{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B17A1BAF87B9639D91FA7DA257C0ED3,SHA256=743395DC12AF9347420AAE922684B43E8B429EF9898EA664A783F1407C306599,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:57.844{72106695-ED09-63D0-2000-00000000BB02}2008NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=88DE52961187D03CFA50A60C8EF0CF9F,SHA256=6D8BEC3924F4EE7154B13BF37E392ED2B2039A81D99303084ACB51E10C2DCE50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:57.466{72106695-ED09-63D0-1C00-00000000BB02}1892NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\respondent-20230125084915-066MD5=4A845FE96E1CB901D2D7264E475C5D0A,SHA256=805658FE4E43678F2368D193C16F752D5AE58460E17C63B3F32526AFB5DF27A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:57.291{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=884F1CEFCBE1D3502FB4C7C2B314AEC5,SHA256=CEAF9B1750DCD0E04E62F5BC54D635D5E1CA91D3031533F931B28626D4F3DCB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:58.602{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8BDFA8CFA35885FA055E453702552B8,SHA256=CC138F3E79837ED6A3F3DB42E1789D0B4C8648BC004220DA2AB7444ECCB17760,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:58.465{72106695-ED09-63D0-1C00-00000000BB02}1892NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\surveyor-20230125084913-067MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:58.370{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB9E06539E892E08A6526A8A255911D4,SHA256=D0E5927330DD416C009E1819FE84703C5E0B9BCB748B6DB97E1FBC7CB005B1AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000078119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:57.784{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49428-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000078118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:57:59.653{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=929947387DEB984AA0C58632FAC887D0,SHA256=17F77C4D50EC38086C6A8CB5C19A4FFE37C6AE321F971BD4C9087ABC47791184,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:56.116{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50519-false10.0.1.12-8000- 23542300x800000000000000035465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:57:59.434{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=838035ED89DBDF84EA1D1A9AD92DF148,SHA256=FA4D30DC65EBDBBB9076D826E020E7ADCFA7E21CEE5FCB957BC65FFE2984AC53,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:00.989{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1000-00000000BA02}444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:00.970{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0F00-00000000BA02}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:00.950{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0E00-00000000BA02}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:00.913{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0D00-00000000BA02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:00.898{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0C00-00000000BA02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:00.817{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:00.813{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0900-00000000BA02}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 23542300x800000000000000078120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:00.711{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ED3BA8BF792A86D326F451A58DDEE69,SHA256=D1F58B6ECD7C278D38F37D0E9D3F36CAAF5A24C308A9CD2E426FEB0AE29A1765,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:00.992{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1600-00000000BB02}1192C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:00.964{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1500-00000000BB02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:00.958{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1400-00000000BB02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:00.950{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1300-00000000BB02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:00.943{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1200-00000000BB02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:00.933{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1100-00000000BB02}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:00.928{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1000-00000000BB02}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:00.916{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0F00-00000000BB02}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:00.909{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0E00-00000000BB02}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:00.893{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0D00-00000000BB02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:00.888{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:00.881{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0B00-00000000BB02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:00.879{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0900-00000000BB02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 23542300x800000000000000035467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:00.537{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4271D387C913A588DEB81EA7F1C03CB9,SHA256=20C6C70D10C989B4998D8ECB6359F066B6A7A52A675BCF7E184AC306A8C1EA12,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:01.956{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2E00-00000000BA02}2692C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:01.951{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:01.947{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2B00-00000000BA02}2664C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 23542300x800000000000000078143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:01.751{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AD7B45D779260F2F5EFAA786D18A60C,SHA256=A5DFE374837042DE724460219F9C1BA6121F9C015444E5F8CC89F89DA0DE0EFF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:01.173{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:01.167{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:01.161{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:01.154{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2700-00000000BA02}2576C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:01.152{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2600-00000000BA02}2568C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:01.145{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2500-00000000BA02}2484C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:01.142{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED14-63D0-2300-00000000BA02}2340C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:01.140{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1800-00000000BA02}1992C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:01.138{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1700-00000000BA02}1492C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:01.131{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1600-00000000BA02}1324C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:01.112{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1500-00000000BA02}1152C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:01.105{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1400-00000000BA02}344C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:01.089{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1300-00000000BA02}364C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:01.063{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1200-00000000BA02}408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:01.037{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1100-00000000BA02}704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000035496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:01.050{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FB5F-63D0-3102-00000000BB02}3068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:01.045{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED83-63D0-8200-00000000BB02}508C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:01.043{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED1B-63D0-6D00-00000000BB02}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:01.041{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:01.040{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-4000-00000000BB02}1980C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:01.038{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-3C00-00000000BB02}2964C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:01.037{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2B00-00000000BB02}2876C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:01.036{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2600-00000000BB02}2596C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:01.035{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2500-00000000BB02}2436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:01.032{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2200-00000000BB02}1172C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:01.029{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:01.021{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:01.020{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1C00-00000000BB02}1892C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:01.018{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1A00-00000000BB02}1856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:01.012{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1800-00000000BB02}1732C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000035481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:01.010{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1700-00000000BB02}1240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 23542300x800000000000000078147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:02.830{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AC87345A796A69C5C4F1B314F829011,SHA256=03F6E3977CE077BF080C568B16A0C9679F8BE5DC525568B49F559ED7018F02A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:02.043{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED26641B9631EBD3026A2B24BC93EBF4,SHA256=22C72F4391D20F4E9ACA02162F87531E751D512284B9B0D97A8F45F923925B2A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:03.991{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3300-00000000BA02}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:03.989{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3100-00000000BA02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:03.986{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2F00-00000000BA02}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 23542300x800000000000000078148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:03.885{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65DB566E932913DCFF53AEFDDA5BBD3E,SHA256=3866338D788926D01A4EFDA1B525D2A3FF5CC8631D7119E808CC899F97938816,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:03.252{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B0D7F8BCCF693E6F7204DA3031C48B8,SHA256=F1CCEC3082AC08A2023EE12F11650AEF5EF80DFE735E02BDDB5F0A5A1F9E8449,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:04.909{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99E-63D0-4403-00000000BA02}4716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:04.901{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4303-00000000BA02}220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:04.896{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4203-00000000BA02}8108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:04.892{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99C-63D0-4103-00000000BA02}4940C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:04.888{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F998-63D0-3F03-00000000BA02}6856C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 354300x800000000000000078177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:02.834{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49429-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000035500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:01.970{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50520-false10.0.1.12-8000- 23542300x800000000000000035499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:04.336{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFFEF12B4F92BF4A1AE6D3DC31AA6908,SHA256=6552529A9B053CCB78706AC62E858F1B814292CD179F0992C5282BB775C69F6F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:04.884{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F993-63D0-3A03-00000000BA02}5848C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:04.878{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F990-63D0-3703-00000000BA02}5072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:04.871{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F990-63D0-3603-00000000BA02}7836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:04.862{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3403-00000000BA02}8152C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:04.854{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3303-00000000BA02}5868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:04.843{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3203-00000000BA02}1380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:04.825{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3103-00000000BA02}7700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:04.760{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:04.720{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:04.716{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A202-00000000BA02}5720C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:04.713{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A102-00000000BA02}7492C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:04.705{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F3FF-63D0-5202-00000000BA02}7716C:\Program Files\Process Hacker 2\ProcessHacker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:04.698{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED93-63D0-C200-00000000BA02}5684C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:04.638{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:04.621{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:04.577{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:04.562{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-8E00-00000000BA02}432C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:04.538{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4D-63D0-8900-00000000BA02}4888C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:04.521{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED36-63D0-8100-00000000BA02}4176C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:04.518{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED35-63D0-7F00-00000000BA02}3432C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:04.515{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED2C-63D0-7B00-00000000BA02}532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:04.511{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:04.510{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1B-63D0-4500-00000000BA02}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:04.506{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-4100-00000000BA02}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:04.504{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-3800-00000000BA02}3276C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 23542300x800000000000000078184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:05.969{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08C35D74E6FB9C3C710D2E9796ABF745,SHA256=97878BFFEEF1F1BDB7106F9C05D972CA99D7C8197E84A47E5B48BA070214ED99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:05.408{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EA5714A7F68580599BFBD55EC4FFF06,SHA256=D15A000F09834429785515239079E7042ECA12B455808D4947AFF5AB43D4D267,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:05.441{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FF285A11C22B98CA69ADAE552D74825,SHA256=87D6E4F09C522650FEE594B312DD5F5DF3E682C6DC9CCE1FD62529BC18446BB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:06.500{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97BA676250BCEBE87C7E691D42C5EAEB,SHA256=82959FE760D57B81F22BD7E81994C547B31FB2DF27706E86CF3808E5E5BC737C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:07.596{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=084A9D13D6F55265778A5501F1F7A8DD,SHA256=A43D49F880C23EAD4EAE6A2C2EC4E6839396469E154C439546ECB72255043260,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:07.025{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81D07365E8E2D234D1EB0647B7B15AC1,SHA256=42EF43939611AEAB7A93D9446E566EE1B6915DE95C8D34776971A3207C75EA87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:08.663{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79E4BFA05C741CB7D3EB78D4BBFC5643,SHA256=E5518B2942E43291E4172588235531C9FDBDA5317E650F5A0E1B779E573AF6D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:08.075{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A28CA646C0BB2E2A142E9063B2C63E2,SHA256=37B8490CDEB9D29EB6A3FF95C051C1CB0BDFA72BC4A0E2EF10B9AF8C64611172,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:09.734{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD1E54DB02A34F18C657B2F19B2005A0,SHA256=641D8355754FE1C2D818A7085859D148C94770FAF2B17F58D45A0B1B294E4A59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:09.145{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FAB54E239301CBFD9E9B23445A52837,SHA256=B6FEE052FDAD2E27AAD9B42CA8A9E2A972ADAA1CEA0485A38C55B9751852FB06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:10.827{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B391E0E3208CC8DE6E98E72D67A54C3F,SHA256=666278107AE6F8C3999BC7065BE327217B6820139C924970C53860AE90A85A3E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000078189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:08.833{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49430-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000078188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:10.181{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FB7640F6C47EE80DE2083F8705736BB,SHA256=AC3AE6EFB6D37F6FFE70BE9B08C331F02013A08374B29141D54DC7BC2C881C38,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:07.983{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50521-false10.0.1.12-8000- 23542300x800000000000000035508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:11.907{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32996EAC8D44DAB71A9AE7B958DC5F76,SHA256=D14760228AC84F820F3453BB6C74C7E2AE6967879421461DE38DDA8C1C1C059C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:11.250{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DD1144DAE6A1485A9E028B4F863D61E,SHA256=81F316D51C83E2394B7F18A02CA037588EFF73D3918E6FE08AA638BEEE11F7E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:12.984{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C051FE899053CCF967D4CCEBAAE314BF,SHA256=D6A8C4F7B38BBA400EF2AD4AA9A4D04487E43841CAB68E7C1B329E20A0D6F459,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:12.285{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB6B67D25473A8C235A9BD568026F8B2,SHA256=1CFB7B71ACE30D21CB18DDE3743A80ED87957EC1FA95AFEBCC08DF35E0EDF674,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:12.225{45AAC21C-ED18-63D0-2F00-00000000BA02}2700NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\respondent-20230125084931-066MD5=FB1204BD5E1FCB9F00F3D30191CDD410,SHA256=AD3DE377B45C073DC7811942D8C17D2EDF88FCE93F4C4FD49345F5808DA79585,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:13.364{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B758CD9E13A7D32C5083031BB19E5A8E,SHA256=5CAD97F23B135F0D6C988A83334188D988B5B2E12B40A5FA385618901F141D99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:13.225{45AAC21C-ED18-63D0-2F00-00000000BA02}2700NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\surveyor-20230125084929-067MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:14.389{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E16D78455A92AF33EE1D4F1AC95BA1FD,SHA256=6DA051CB023BF0B74245CD997D33AEC18D25B0EEB7AE5FE98BBDC7547DD782DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:14.630{72106695-ED08-63D0-1100-00000000BB02}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E1DE9DC9EA060F242AD1CD3CBA9FF321,SHA256=25AD9F51D58105ADF2599EF46F77B8BD1D9422B0CC8CA59CE5A5F014255DEB44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:14.056{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A2B566E6535BD862DA64DE06F4ED648,SHA256=31E07297C9FFDB111E891BD68B48037683DD92EEB3A9D71A89AA91DB2164FCB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:14.209{45AAC21C-ED18-63D0-2C00-00000000BA02}2672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=1549FAA183831723A0617EA66204201B,SHA256=06BC1F4047BB26975E8FB16F38BE4CD0E32FF8979C821F3E9E59D6D4F8CE3226,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:15.930{45AAC21C-ED0A-63D0-1100-00000000BA02}704NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=085E4D947914B6C33BE719901675F949,SHA256=06CA073136EEF4644EF92A437F5ABC7BEB26AE90D3CF80EC5D859DF8E916DD99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:15.493{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E66377A91943ECA0A68E593C94E3881,SHA256=044DAF30B5EBE5521D023FE1671538EDBE4CFCAD08A1E5889D34EC7B1EBB5FA1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:13.067{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50522-false10.0.1.12-8000- 23542300x800000000000000035512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:15.148{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2E14530497CCE38762EB41BF9E19698,SHA256=B4A2D20540755B141D62E65C011FB5884E8F2DFE5C71E6592027F5E2705409A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:16.237{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B89F95E684783D2949F88AA5AC6DF95E,SHA256=2384291474E4A935821481BBD1299A30D452E772C1241134A91BA59AF67585BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:16.531{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB7F5C839C4541C7BDE0ED6A88CD4DA9,SHA256=1507894C7ED9A373FB332B3AFA09F4445E2993B96E53A23EA4D8E2A0EBC2DB38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:17.340{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92C283692C2928E48708D872D6AA19D1,SHA256=CC1E1E183F49B1960782B936F530D15E5FE32ECF307BE66CE520E3FEB055FEB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:17.548{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D80D5498242B61FC46AFDC6D42232DA0,SHA256=C75D47F0F55537B57CEB673EFA69C94D2D4E1690DCFADD3161165DA696673757,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000078200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:14.747{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49431-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000035516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:18.435{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45960239E43D2A8018010D93533918AD,SHA256=E372D87B1F72FFE72BD6FF336D665A73609D0744770339914A0A05B6A59BCCB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:18.603{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CCB1EB2F2DB2F41706CF78B88E2A5A0,SHA256=B9D345E7BB2938530F5D3186E70AAB497F652D94E4CE0006B00056B27664AD99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:18.466{45AAC21C-ED18-63D0-2C00-00000000BA02}2672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:19.517{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=117B0A1B31FFA0ABD8A1BA8E77D33138,SHA256=8468D2D1AFB8D0CD13AD408C1D3A418BB2CFDA0AF8E48C9F104DA5FF6776F5B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:19.725{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33BA41C4C5B59F84F041FEE675455D9E,SHA256=2927F8C32222D642C7CD1A5F207C5F2FF0F054513A2292B06FDF1645CC87053C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:20.997{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1800-00000000BB02}1732C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000035532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:20.995{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1700-00000000BB02}1240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000035531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:20.984{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1600-00000000BB02}1192C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000035530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:20.966{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1500-00000000BB02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000035529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:20.961{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1400-00000000BB02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000035528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:20.955{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1300-00000000BB02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000035527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:20.950{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1200-00000000BB02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000035526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:20.944{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1100-00000000BB02}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000035525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:20.939{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1000-00000000BB02}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000035524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:20.935{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0F00-00000000BB02}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000035523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:20.928{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0E00-00000000BB02}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000035522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:20.922{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0D00-00000000BB02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000035521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:20.915{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000035520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:20.899{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0B00-00000000BB02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000035519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:20.893{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0900-00000000BB02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 23542300x800000000000000035518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:20.609{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E037948E97AB36D000DC0E9A863DCAD8,SHA256=14370DDD58A69A5DCDDE540C5A22E6D3E828929ACAD29235D0A0623EC843A3F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:20.997{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1400-00000000BA02}344C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:20.985{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1300-00000000BA02}364C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:20.975{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1200-00000000BA02}408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:20.963{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1100-00000000BA02}704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:20.919{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1000-00000000BA02}444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:20.898{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0F00-00000000BA02}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:20.888{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0E00-00000000BA02}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:20.869{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0D00-00000000BA02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:20.857{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0C00-00000000BA02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:20.804{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:20.801{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0900-00000000BA02}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 23542300x800000000000000078206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:20.770{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4057EADE834C56F0B266DF178C34C88C,SHA256=14C6D1CB7ED416081D0448833AB2BE168AC181FE474807813DA8257ACD193E9A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000078205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:18.100{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49432-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000078232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:21.787{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9064A4F0859CA0B4AE5600446C38843,SHA256=B37ED4BAE252A1774D707526EA04BD807B42149FFE78FC9CDA531F5D13189886,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:21.045{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FB5F-63D0-3102-00000000BB02}3068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000035546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:21.041{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED83-63D0-8200-00000000BB02}508C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000035545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:21.037{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED1B-63D0-6D00-00000000BB02}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000035544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:21.035{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000035543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:21.033{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-4000-00000000BB02}1980C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000035542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:21.023{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-3C00-00000000BB02}2964C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000035541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:21.022{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2B00-00000000BB02}2876C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000035540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:21.021{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2600-00000000BB02}2596C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000035539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:21.020{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2500-00000000BB02}2436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000035538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:21.018{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2200-00000000BB02}1172C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000035537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:21.013{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000035536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:21.006{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000035535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:21.004{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1C00-00000000BB02}1892C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000035534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:21.002{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1A00-00000000BB02}1856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000078231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:21.632{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2E00-00000000BA02}2692C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:21.627{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:21.622{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2B00-00000000BA02}2664C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:21.067{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:21.062{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:21.054{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:21.045{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2700-00000000BA02}2576C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:21.042{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2600-00000000BA02}2568C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:21.035{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2500-00000000BA02}2484C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:21.032{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED14-63D0-2300-00000000BA02}2340C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:21.030{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1800-00000000BA02}1992C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:21.028{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1700-00000000BA02}1492C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:21.020{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1600-00000000BA02}1324C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:21.006{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1500-00000000BA02}1152C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 23542300x800000000000000078234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:22.841{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B2421731C15824B90E18D53E71A2162,SHA256=8778BA161480ADB0E53A2E55879FC620DD7F9D180C55511B996BEC7B66470464,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:18.976{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50523-false10.0.1.12-8000- 23542300x800000000000000035548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:22.127{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B91E4D77B4345F9ACEB285EE777DF5B7,SHA256=81E462398AE3A2C8CE6AA958A8CC50008973730736A858264C5C6B51CD0F87DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000078233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:20.639{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49433-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000078238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:23.891{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17D74FD35F3B012BE37AB23F9DF2FC9A,SHA256=21B16BF582AB149D00AEB3A628312B3A15D31DD92D39B7E31A27F9EA75F065B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:23.231{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED08-63D0-0B00-00000000BB02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:23.231{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED08-63D0-0B00-00000000BB02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:23.231{72106695-ED08-63D0-0B00-00000000BB02}6243468C:\Windows\system32\lsass.exe{72106695-ED08-63D0-1500-00000000BB02}108C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:23.218{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1F00-00000000BB02}2000C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000035550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:23.176{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=089ADACBC2EE66E03AFB292193F00DD4,SHA256=65BE6BEA8B8A084B9986CEB0E5004AE36857603FF5C9FED2F9EB7E854603081D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:23.647{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3300-00000000BA02}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:23.645{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3100-00000000BA02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:23.643{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2F00-00000000BA02}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 23542300x800000000000000035555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:24.245{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=009335C61BDBDF009B373F956C0BCF28,SHA256=A463C4D6F5062CCEC1988AE63E3E73F93F502E13AB057029DF14CCB2DB1C65C8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:24.494{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99E-63D0-4403-00000000BA02}4716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:24.486{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4303-00000000BA02}220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:24.483{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4203-00000000BA02}8108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:24.479{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99C-63D0-4103-00000000BA02}4940C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:24.474{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F998-63D0-3F03-00000000BA02}6856C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:24.472{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F993-63D0-3A03-00000000BA02}5848C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:24.462{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F990-63D0-3703-00000000BA02}5072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:24.458{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F990-63D0-3603-00000000BA02}7836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:24.453{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3403-00000000BA02}8152C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:24.446{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3303-00000000BA02}5868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:24.443{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3203-00000000BA02}1380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:24.426{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3103-00000000BA02}7700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:24.394{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:24.340{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:24.336{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A202-00000000BA02}5720C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:24.334{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A102-00000000BA02}7492C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:24.318{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F3FF-63D0-5202-00000000BA02}7716C:\Program Files\Process Hacker 2\ProcessHacker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:24.313{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED93-63D0-C200-00000000BA02}5684C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:24.268{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:24.244{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:24.204{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:24.196{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-8E00-00000000BA02}432C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:24.184{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4D-63D0-8900-00000000BA02}4888C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:24.175{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED36-63D0-8100-00000000BA02}4176C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:24.173{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED35-63D0-7F00-00000000BA02}3432C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:24.170{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED2C-63D0-7B00-00000000BA02}532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:24.168{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:24.166{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1B-63D0-4500-00000000BA02}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:24.163{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-4100-00000000BA02}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:24.161{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-3800-00000000BA02}3276C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 23542300x800000000000000035556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:25.323{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66690767C199A37F717FBC2CE0F9F5FF,SHA256=1FAAF51A3C3359F6E3C58C5DCC71993A8639579E3FDD463F2348DBA71042351F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:25.161{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10B73C95B14117A958034F05938A8CFD,SHA256=5A21AC76A9C181D32B537A864E2AEF7571588354C6FAA1EBA9AEAAB37FC2CC4A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:26.579{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FD42-63D0-6A02-00000000BB02}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:26.579{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:26.579{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:26.579{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:26.579{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:26.579{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:26.579{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:26.579{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:26.579{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:26.579{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:26.579{72106695-ED07-63D0-0500-00000000BB02}408424C:\Windows\system32\csrss.exe{72106695-FD42-63D0-6A02-00000000BB02}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:26.579{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FD42-63D0-6A02-00000000BB02}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:26.580{72106695-FD42-63D0-6A02-00000000BB02}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:26.416{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EFDFA479E1D0AE834F46322779DA0CB,SHA256=AF94F4CE416D1FC14678ADA395AA38363F013D0A7A995781DD645708BEA7C098,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:26.232{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DA28C0F091EDEEFD296F9FA9AD242CC,SHA256=4E046BAA99A656CC744B64CD949233CE71E74D37EB32E7A3E5D5710BBB2EE9B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:26.219{72106695-ED09-63D0-2000-00000000BB02}2008NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:27.935{72106695-FD43-63D0-6C02-00000000BB02}9602104C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:27.763{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FD43-63D0-6C02-00000000BB02}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:27.763{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:27.763{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:27.763{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:27.763{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:27.763{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:27.763{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:27.763{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:27.763{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:27.763{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:27.763{72106695-ED07-63D0-0500-00000000BB02}408524C:\Windows\system32\csrss.exe{72106695-FD43-63D0-6C02-00000000BB02}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:27.763{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FD43-63D0-6C02-00000000BB02}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:27.765{72106695-FD43-63D0-6C02-00000000BB02}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:27.763{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C91F90285DF3A42DFA88C030DA2165CF,SHA256=9C8993C72238347B5E86C0A20CB09F7C737DB51B405B455A484AE744BDAA2E7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:27.763{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9CBAB5C7634223BC3AB6565EC1695704,SHA256=AF206D294C918BEE329BC6F205C8B6733763C5DD9BD09A5C316C9C086F5FF0A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000078272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:25.745{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49434-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000078271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:27.265{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA4E54F9BCBB0D83D37F6FD7A9E87332,SHA256=F1D1B891F06B078867AFFA98125FF3077228CBDD147A8B7AD99123050B51A9C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:27.391{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=0EABE536EB513E0E80C79DCB4A991ED1,SHA256=3FC31C9008C3015855A74C4C4412C6939459FB0DD37E20EA1CFEF2A5B42E32BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:27.347{72106695-ED09-63D0-1F00-00000000BB02}20002816C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FD43-63D0-6B02-00000000BB02}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D383D0) 10341000x800000000000000035587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:27.347{72106695-ED09-63D0-1F00-00000000BB02}20002816C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FD43-63D0-6B02-00000000BB02}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D383D0) 10341000x800000000000000035586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:27.347{72106695-ED09-63D0-1F00-00000000BB02}20002816C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FD43-63D0-6B02-00000000BB02}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D383D0) 10341000x800000000000000035585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:27.251{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FD43-63D0-6B02-00000000BB02}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:27.251{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:27.251{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:27.251{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:27.251{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:27.251{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:27.251{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:27.251{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:27.251{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:27.251{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:27.251{72106695-ED07-63D0-0500-00000000BB02}4082644C:\Windows\system32\csrss.exe{72106695-FD43-63D0-6B02-00000000BB02}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:27.251{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FD43-63D0-6B02-00000000BB02}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:27.252{72106695-FD43-63D0-6B02-00000000BB02}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000035572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:24.101{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50524-false10.0.1.12-8000- 10341000x800000000000000035621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:28.888{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FD44-63D0-6D02-00000000BB02}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:28.888{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:28.888{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:28.888{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:28.888{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:28.888{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:28.888{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:28.888{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:28.888{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:28.888{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:28.888{72106695-ED07-63D0-0500-00000000BB02}408524C:\Windows\system32\csrss.exe{72106695-FD44-63D0-6D02-00000000BB02}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:28.888{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FD44-63D0-6D02-00000000BB02}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:28.889{72106695-FD44-63D0-6D02-00000000BB02}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:28.809{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70E836D96695D9E131970CB7461B8794,SHA256=63D4C4A8A2C772A4A82CF106D09FE038E2EB34671A78213AB472B26202C4B3D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:28.301{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C3B3934293DF91163014C16C3F4F9B9,SHA256=36A9A76E60B40F5EA034A854F64FEFF3E55DD2ED1B0556C2D1CE2937C22A69FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:25.093{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50525-false10.0.1.12-8089- 23542300x800000000000000035606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:28.013{72106695-ED09-63D0-2000-00000000BB02}2008NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=4A73E0B5F44A2ED4E8C009897DCF094C,SHA256=62DE8C58C41FFB038DC7D044A75E5F40FC27322DCFE54666C2EAFE6EE990D1B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:29.883{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1A6BD6A46F27E8362C5451322126F8B,SHA256=5CE1EA511C1FC8A94B4AEB1BD51E339FFED75F7AECC12F03F7C664B186F16054,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:29.440{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=042698E0AECF4DB3828396BED76B50AC,SHA256=FCD0CFAD83779A6302EC561AC5E8B0F58FCA82084DD8B05366C01CAE7EA540B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:29.028{72106695-FD44-63D0-6D02-00000000BB02}31602612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000078275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:30.489{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B9431A5D5C00F1016CEB6C277450E2D,SHA256=A2435EDECA8CE66371F3929BB3A0F12A0B6F6475AD2DC20AB1710E13B5EF3C4F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:30.827{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FD46-63D0-6F02-00000000BB02}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:30.827{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:30.827{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:30.827{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:30.827{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:30.827{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:30.827{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:30.827{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:30.827{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:30.827{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:30.827{72106695-ED07-63D0-0500-00000000BB02}408524C:\Windows\system32\csrss.exe{72106695-FD46-63D0-6F02-00000000BB02}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:30.827{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FD46-63D0-6F02-00000000BB02}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:30.828{72106695-FD46-63D0-6F02-00000000BB02}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000035637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:30.321{72106695-FD46-63D0-6E02-00000000BB02}40563784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:30.149{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FD46-63D0-6E02-00000000BB02}4056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:30.149{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:30.149{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:30.149{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:30.149{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:30.149{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:30.149{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:30.149{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:30.149{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:30.149{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:30.149{72106695-ED07-63D0-0500-00000000BB02}4081028C:\Windows\system32\csrss.exe{72106695-FD46-63D0-6E02-00000000BB02}4056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:30.149{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FD46-63D0-6E02-00000000BB02}4056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:30.150{72106695-FD46-63D0-6E02-00000000BB02}4056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000078276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:31.544{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=342D8587F50F367E0AD2EF624DE2B9C0,SHA256=E2E64754567E2DC04300CED0C93CA8E13CDAC1820F970875278A80C42D3D7485,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:31.265{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F1875724C55872032A4862F579E6359,SHA256=AF36557969E60FF5C583462B95B51682FECC5CACADED788F33D22806DA0747B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:31.046{72106695-FD46-63D0-6F02-00000000BB02}34763348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000078278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:32.562{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D66D0F21CC6AA1BED9928C626E07935,SHA256=46F55C37FF4B5EA2AD6C49AAF96A886EEE94D230248CD4932B44D84E91709363,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:32.882{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FD48-63D0-7002-00000000BB02}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:32.882{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:32.882{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:32.882{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:32.882{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:32.882{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:32.882{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:32.882{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:32.882{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:32.882{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:32.882{72106695-ED07-63D0-0500-00000000BB02}408524C:\Windows\system32\csrss.exe{72106695-FD48-63D0-7002-00000000BB02}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:32.882{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FD48-63D0-7002-00000000BB02}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:32.883{72106695-FD48-63D0-7002-00000000BB02}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:32.154{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B01BA04568994E6EBCFACCCE9EB4CF0B,SHA256=88DF49570D4711DAF8B3F63AE38E92624D264ECFAE4787411E374795A2806D03,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000078277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:30.845{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49435-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000078279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:33.627{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BB9BBF869733214B2ADFA31779F1EF8,SHA256=5DBD6844E16C50BDED5751EFFF6DD439478D21BE4117791B5FCA630E1B3FE246,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:33.967{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=658904542DBC33D4F6BA46778D98F4EE,SHA256=7A84FFD3CC5320BC102D11A1B8C8E1D4D669F133A73EFF96C0E9B20B74C51C6D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:29.942{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50526-false10.0.1.12-8000- 23542300x800000000000000035667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:33.232{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DD0DE2D6CBAFA30DF7EFA9F56F08389,SHA256=7252B26D690D17D329FED388043E90E6F97FEBD254BA66162B98B29E9A3A2AFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:34.681{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55F722BE82E87B9AC3A5BB63C772DFC7,SHA256=1909F66D582EAF1F2AD89A0F30D3BEB08EAD5D93A4BDACACE89A98829ABCF5F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:34.317{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F57FCEDB8F98E48CD60CB7D925B57271,SHA256=CBACC995A93ED56EBAEF6BD7FE13A50A90D4B7246E457B38802D9498C3875273,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:35.733{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58C05B0930E4F45AC8F651DCAE6AD4E6,SHA256=C7EB85A97BC3C44CA121D71E6BA053D6E3C57FEA4B9310B93E0206D6AE9F425C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:35.415{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B98B439F8BE4086F7DC9B6B84A6BEEF,SHA256=CCB4F48CC088464E5FE431DC8932C96A0D0210DF7BD053B4A954993A708F47BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:36.764{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6738F9CADB229143ED6A2D6D8CF970B,SHA256=6C29D3A4FEBCFF890C6EA18BFAA395BB61D793335988857377551EB9A37A4B06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:36.509{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=523F6783B114EA46FE3E50BD9D3C0AA7,SHA256=155DDEFF4730F69818F2A4EF1840384F0D50AEF600D01DA86F2DB5D558812F60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:37.922{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C7A8D83A2C0EACA6D7FB6F5FE6F296C,SHA256=87DBE33062E4F25076426D1C1C7EC206485DAEE03DBEE9E799C73C80FEDDB321,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:37.591{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0218700E1A07E59C8D49E88C386C0BE8,SHA256=37BCE49D89F1D97F3DA9E2C1F611A29D4B3F99E4A676C930BE1AB93200439DC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:38.976{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2E60E978B439DE498A506EE6C005DEC,SHA256=CDFF01F05D2AB827F77C86D3350E82BF9ED0EBB441FBBDF844535CAEC1905D84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:38.660{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10C75F0BCBF9FD5336B7709816FAFFE3,SHA256=87D7E6BB42B5EAF650AB802F02E7FF22C9CA66933473EE9D6A29C324BE2C9105,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000078284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:36.707{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49436-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000035674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:35.039{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50527-false10.0.1.12-8000- 23542300x800000000000000035676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:39.727{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11C2FD54887DA53C79423711F4033B0B,SHA256=F54A735DC3E9CAEABEBF18093997216EAF34EDA288B3F4CD5AD739775342A83B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:40.997{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1C00-00000000BB02}1892C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000035693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:40.996{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1A00-00000000BB02}1856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000035692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:40.988{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1800-00000000BB02}1732C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000035691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:40.986{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1700-00000000BB02}1240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000035690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:40.975{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1600-00000000BB02}1192C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000035689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:40.950{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1500-00000000BB02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000035688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:40.940{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1400-00000000BB02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000035687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:40.934{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1300-00000000BB02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000035686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:40.929{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1200-00000000BB02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000035685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:40.923{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1100-00000000BB02}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000035684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:40.918{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1000-00000000BB02}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000035683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:40.913{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0F00-00000000BB02}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000035682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:40.906{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0E00-00000000BB02}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000035681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:40.900{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0D00-00000000BB02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000035680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:40.886{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000035679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:40.879{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0B00-00000000BB02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000035678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:40.877{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0900-00000000BB02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 23542300x800000000000000035677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:40.820{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13F9471706C5237A13D027AAD91EC57B,SHA256=384A3F2F92431CA92CCE05F1F56A428B2DCACCC8D2B662B282043773DC9B5B5E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:40.994{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1100-00000000BA02}704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000078293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:40.959{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1000-00000000BA02}444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000078292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:40.924{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0F00-00000000BA02}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000078291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:40.907{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0E00-00000000BA02}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000078290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:40.881{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0D00-00000000BA02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000078289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:40.868{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0C00-00000000BA02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000078288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:40.823{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000078287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:40.820{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0900-00000000BA02}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 23542300x800000000000000078286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:40.025{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D20712E6CE35F6D48464AD3C51013B59,SHA256=4EA9F2DB355E43903F0937E1D5B6136B6D4E8754751EFA02B748BCE748698AD0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:41.040{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FB5F-63D0-3102-00000000BB02}3068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000035705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:41.037{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED83-63D0-8200-00000000BB02}508C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000035704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:41.032{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED1B-63D0-6D00-00000000BB02}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000035703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:41.030{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000035702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:41.030{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-4000-00000000BB02}1980C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000035701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:41.027{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-3C00-00000000BB02}2964C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000035700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:41.026{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2B00-00000000BB02}2876C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000035699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:41.023{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2600-00000000BB02}2596C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000035698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:41.021{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2500-00000000BB02}2436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000035697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:41.012{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2200-00000000BB02}1172C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000035696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:41.008{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000035695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:40.999{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000078312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:41.796{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2E00-00000000BA02}2692C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000078311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:41.791{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000078310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:41.785{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2B00-00000000BA02}2664C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000078309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:41.097{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000078308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:41.091{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000078307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:41.083{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000078306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:41.074{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2700-00000000BA02}2576C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000078305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:41.071{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2600-00000000BA02}2568C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000078304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:41.060{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2500-00000000BA02}2484C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000078303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:41.057{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED14-63D0-2300-00000000BA02}2340C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 23542300x800000000000000078302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:41.057{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E83DB818A33F4403DB4C261E1C92908,SHA256=7B479694AC55FBDE249875B1DC387C59B0E2F682B13866A5FD9309F6AF06CF1F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:41.055{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1800-00000000BA02}1992C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000078300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:41.051{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1700-00000000BA02}1492C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000078299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:41.045{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1600-00000000BA02}1324C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000078298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:41.031{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1500-00000000BA02}1152C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000078297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:41.026{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1400-00000000BA02}344C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000078296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:41.016{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1300-00000000BA02}364C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000078295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:41.005{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1200-00000000BA02}408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 23542300x800000000000000035707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:42.281{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F2F92CCA06B773CE58DEB219DBEB9CB,SHA256=FAADD8B6D949FB9A424A99452D4504362746BE6B0024845009A39DDBE8430EB9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:42.966{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FD52-63D0-B103-00000000BA02}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:42.966{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:42.966{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:42.966{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:42.966{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:42.966{45AAC21C-ED08-63D0-0500-00000000BA02}420536C:\Windows\system32\csrss.exe{45AAC21C-FD52-63D0-B103-00000000BA02}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000078315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:42.966{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FD52-63D0-B103-00000000BA02}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000078314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:42.967{45AAC21C-FD52-63D0-B103-00000000BA02}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000078313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:42.079{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FD471222FCEFA9D0005A02722BAC250,SHA256=B91068440AAFDE4DE92679B19BEE799333B9B4DAC2ED6D92CCF32ECDD8DA2F6C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:40.116{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50528-false10.0.1.12-8000- 23542300x800000000000000035708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:43.414{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB320786FC186293A6F39C25E6AED5E7,SHA256=45FA0F4235E132D6624F3B144F6F8DA7A076FFBD750304887B41CAAA286AB4C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:43.882{45AAC21C-FD53-63D0-B203-00000000BA02}68241136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:43.831{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3300-00000000BA02}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000078338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:43.827{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3100-00000000BA02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000078337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:43.817{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2F00-00000000BA02}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000078336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:43.637{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FD53-63D0-B203-00000000BA02}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:43.634{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:43.634{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:43.633{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:43.633{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:43.632{45AAC21C-ED08-63D0-0500-00000000BA02}420788C:\Windows\system32\csrss.exe{45AAC21C-FD53-63D0-B203-00000000BA02}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000078330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:43.631{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FD53-63D0-B203-00000000BA02}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000078329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:43.630{45AAC21C-FD53-63D0-B203-00000000BA02}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000078328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:43.600{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED5C-63D0-A400-00000000BA02}5320C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000078327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:41.745{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49437-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000078326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:43.131{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48577CB6E18EEB98A9BA21D807C69795,SHA256=77CDE8202DF5EBC7B38DC18FFE3DC4124BE7601EBA03719D461CEC504DE1A020,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:43.067{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FD52-63D0-B103-00000000BA02}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:43.067{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FD52-63D0-B103-00000000BA02}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:43.067{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FD52-63D0-B103-00000000BA02}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:43.067{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FD52-63D0-B103-00000000BA02}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000035710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:44.488{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A055CF58004948A7D146F774ED72D5F,SHA256=442508D00542DE74408166C889D1D7FE134946631E754354DCF7E08B00C75291,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:44.606{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99E-63D0-4403-00000000BA02}4716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000078381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:44.603{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4303-00000000BA02}220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000078380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:44.599{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4203-00000000BA02}8108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000078379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:44.594{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99C-63D0-4103-00000000BA02}4940C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 23542300x800000000000000078378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:44.593{45AAC21C-ED18-63D0-2C00-00000000BA02}2672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=106A8762DBF3344B88FEF6779B2976D7,SHA256=4406FA56287034AF3F65C5C26C8F46903A7FC1475560E933FE04E709F15C6F07,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:44.585{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F998-63D0-3F03-00000000BA02}6856C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000078376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:44.583{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F993-63D0-3A03-00000000BA02}5848C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000078375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:44.578{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F990-63D0-3703-00000000BA02}5072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000078374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:44.573{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F990-63D0-3603-00000000BA02}7836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000078373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:44.569{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3403-00000000BA02}8152C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000078372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:44.563{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3303-00000000BA02}5868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000078371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:44.556{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3203-00000000BA02}1380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000078370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:44.544{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3103-00000000BA02}7700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000078369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:44.503{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000078368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:44.485{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000078367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:44.483{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A202-00000000BA02}5720C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000078366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:44.481{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A102-00000000BA02}7492C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000078365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:44.476{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F3FF-63D0-5202-00000000BA02}7716C:\Program Files\Process Hacker 2\ProcessHacker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000078364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:44.472{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED93-63D0-C200-00000000BA02}5684C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000078363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:44.440{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000078362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:44.427{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000078361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:44.393{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000078360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:44.384{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-8E00-00000000BA02}432C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000078359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:44.373{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4D-63D0-8900-00000000BA02}4888C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000078358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:44.367{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED36-63D0-8100-00000000BA02}4176C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000078357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:44.365{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED35-63D0-7F00-00000000BA02}3432C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000078356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:44.362{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED2C-63D0-7B00-00000000BA02}532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000078355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:44.358{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000078354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:44.355{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1B-63D0-4500-00000000BA02}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000078353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:44.351{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-4100-00000000BA02}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000078352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:44.350{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-3800-00000000BA02}3276C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000078351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:44.317{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FD54-63D0-B303-00000000BA02}6092C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:44.317{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:44.317{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:44.317{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:44.317{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:44.317{45AAC21C-ED08-63D0-0500-00000000BA02}420780C:\Windows\system32\csrss.exe{45AAC21C-FD54-63D0-B303-00000000BA02}6092C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000078345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:44.317{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FD54-63D0-B303-00000000BA02}6092C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000078344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:44.318{45AAC21C-FD54-63D0-B303-00000000BA02}6092C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000078343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:44.186{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=581A91EDC38ECF18BFE7415B992DB893,SHA256=0E64E9EAD51DFAB2853FCC3DDB950FCC0D3FD0FB3B08052153CCB0B25783A6FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:44.117{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=13E76CB52B3EE6D6FB640DACDB7E7AC8,SHA256=C5EDAF50E281CADB4DCD8327F9CD29E38F25D1D61649AB43D73BF866638CD0C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:44.002{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=BD0F7C57F0974391E7A68C4415F91E90,SHA256=F6CFFCFD819F79622750F9DF3F01B390B6D995264BEF020527CB7BEC1F010E30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:45.562{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74DFA76FCD860F219C5EA6F5BEBC35AE,SHA256=F4E6F90FA7284A6469E3DA97C513842E23F4F2649FB0386D006AB000048C21FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:45.439{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C72D75488575E4219046749CEDF3D45A,SHA256=ACFFA9501600567D5C3DE7D786F219D28C8FC9611850EA0AF6C0651ECA2082A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000078384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:43.683{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local49438-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x800000000000000078383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:43.683{45AAC21C-ED18-63D0-2700-00000000BA02}2576C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local49438-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 23542300x800000000000000035712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:46.647{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44885ADEB34A7551329E04CB2D04C03A,SHA256=3A58B5CB4DECAA048E765A81FB26EA82CC8AE28EBC2B9986E04DE53D7FA21ECB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:46.524{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4688149060E245A0992D93D3BEE9359,SHA256=37A4613C692D005D4E65D247F6BC265875D36BB37BE3D0365647B37F3074F9A6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:46.440{45AAC21C-FD56-63D0-B403-00000000BA02}75006100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:46.240{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FD56-63D0-B403-00000000BA02}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:46.240{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:46.240{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:46.240{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:46.240{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:46.240{45AAC21C-ED08-63D0-0500-00000000BA02}420436C:\Windows\system32\csrss.exe{45AAC21C-FD56-63D0-B403-00000000BA02}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000078387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:46.240{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FD56-63D0-B403-00000000BA02}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000078386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:46.240{45AAC21C-FD56-63D0-B403-00000000BA02}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:47.739{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8545DD29494C77D961E1939897D7DE7D,SHA256=79EE35D18D55DAF9A6365DBED8BB240B70AC4836A67F268C6C6FAE0A334498F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:47.951{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FD57-63D0-B603-00000000BA02}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:47.950{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:47.950{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:47.949{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:47.949{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:47.949{45AAC21C-ED08-63D0-0500-00000000BA02}420788C:\Windows\system32\csrss.exe{45AAC21C-FD57-63D0-B603-00000000BA02}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000078407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:47.949{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FD57-63D0-B603-00000000BA02}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000078406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:47.948{45AAC21C-FD57-63D0-B603-00000000BA02}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000078405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:47.478{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63D517980D6B239127D2C96AB09D387F,SHA256=D756B1D31932E188553C2E0D08CFA450858831A86C618A0D4F024F37B702AE74,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:47.463{45AAC21C-FD57-63D0-B503-00000000BA02}79446080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:47.278{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FD57-63D0-B503-00000000BA02}7944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:47.278{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:47.278{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:47.278{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:47.278{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:47.278{45AAC21C-ED08-63D0-0500-00000000BA02}420788C:\Windows\system32\csrss.exe{45AAC21C-FD57-63D0-B503-00000000BA02}7944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000078397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:47.278{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FD57-63D0-B503-00000000BA02}7944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000078396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:47.279{45AAC21C-FD57-63D0-B503-00000000BA02}7944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:48.814{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F5A6092867754734390DDBF506311E7,SHA256=0E67678435EE4DD0148AA61946ADACB4A2A44DFF62367F978A3181E385C14E22,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:45.971{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50529-false10.0.1.12-8000- 23542300x800000000000000078420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:48.550{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=433D4A5CE2593C7F85252C2C3CBA7B96,SHA256=91673849EED37380BC4025ABA6102FC93B8A0CCBD55D1E6BDD90304CB63318EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000078419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:46.812{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49439-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000078418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:48.180{45AAC21C-FD57-63D0-B603-00000000BA02}42648132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:48.080{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FD57-63D0-B603-00000000BA02}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:48.080{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FD57-63D0-B603-00000000BA02}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:48.080{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FD57-63D0-B603-00000000BA02}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:48.080{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FD57-63D0-B603-00000000BA02}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000035716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:49.883{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=553524747762B623610996FC967D2807,SHA256=2C67D6637DE64D59BF30F1EBA4FDA534B715D2E3E8DCD235429D076734F4B600,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:49.976{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FD59-63D0-B703-00000000BA02}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000078435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:49.976{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FD59-63D0-B703-00000000BA02}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000078434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:49.975{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FD59-63D0-B703-00000000BA02}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000078433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:49.975{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FD59-63D0-B703-00000000BA02}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000078432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:49.975{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FD59-63D0-B703-00000000BA02}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000078431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:49.975{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FD59-63D0-B703-00000000BA02}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000078430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:49.866{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FD59-63D0-B703-00000000BA02}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:49.861{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:49.861{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:49.861{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:49.861{45AAC21C-ED08-63D0-0500-00000000BA02}420436C:\Windows\system32\csrss.exe{45AAC21C-FD59-63D0-B703-00000000BA02}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000078425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:49.861{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:49.861{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FD59-63D0-B703-00000000BA02}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000078423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:49.862{45AAC21C-FD59-63D0-B703-00000000BA02}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000078422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:49.613{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA7245243DA98098C0CEF47920749517,SHA256=79A26DB43798A83C29335959C74EA0E96550F1F9E04147F67AE5218AEB88BCCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:49.044{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=38B0E70CA05727D0AF3A3233B3DADC7D,SHA256=90EC4A7327E93854A4204E07A9104E020467476D5E4C716DC6F64704A33F0FBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:50.950{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACFA28AED1F022D385B0FD960C4FBDA8,SHA256=9E7E379ED7FF50E5A0FC6D230668D1E9558AA6EC885604404B8AABE47605F377,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:50.951{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=522AAD11667FB3E726598752EF614149,SHA256=6C5B2C800CECE603141C11BCA9F2C454E6F971483360795A986750E87D0AEE79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:50.673{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D92EE7712C48A8526EFB096475BCAA7A,SHA256=A2DC825F906A8F4797F1193147273559BAFE5AE616A0B687FB66AB8ED20A2BBA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:50.067{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FD59-63D0-B703-00000000BA02}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:50.067{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FD59-63D0-B703-00000000BA02}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:50.067{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FD59-63D0-B703-00000000BA02}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:50.067{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FD59-63D0-B703-00000000BA02}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000078443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:51.767{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0471FB1E492CE56B00288EE3788FA1D,SHA256=9F23C88841DF3EDBBCE4C710E37C244FCB376CC6F21747239ABE387630401862,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:52.821{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A37DFB9238B67B0F8E4642C03442A64E,SHA256=0B9F63DF7E7DCDFCCE718C0523845D3C036D07E49D29C536A01597EF7BB22F15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:52.015{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B895BBB85DF7336A501DBE2EFFEE5A15,SHA256=432A657989E7097EC1610E94E5AE6589D8194C044516FDDEEB479C4614DFC83A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:53.871{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=642BDA92D89B29B8AD3C906DB7BC3569,SHA256=CCEC92D8B247484BFB1B261D35F79A385B2AA1CBF16A7182EC3ACEA06377E7FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:51.073{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50530-false10.0.1.12-8000- 23542300x800000000000000035719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:53.098{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=142500D0248941AD43B5B72258CD238D,SHA256=AF7E62B7914613039D6D23522275B36F78F3012626EB476DD6ABBE27FA824761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:54.994{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=306B9146F9DD00C3DA4DE101E96A3832,SHA256=108CF79D82F9E92D6EBE493C49CD83097CD901EBA5985755B12035A61061DFFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:54.185{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=247DD8C9DD6E09F68773780381215CCE,SHA256=EDDA2C95A213E16ED1C7010661B2B72FE8B1F09B8045D23CF93D2C00EF91A06A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000078446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:52.704{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49440-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000035722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:55.262{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E18046C62FE71230CB0D55E8B58E798F,SHA256=A72E38711840317A4BCD92A36DEDCB3B7C5A1489B19B654F61DB015513251D1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:56.343{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1F23763450C70356F9A3CDB94BCB727,SHA256=45BEFDF58261EE424082AE68A5E287BF1570559DE375AC8DC0621A9EBC17EBE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:56.030{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5D5865F675C71CCAB0A42078A3C2B23,SHA256=1D281D842AAB4213F0E18B5462C3E7D9E015D0C29F1C1BF96D075A7CECAB1CBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:57.422{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B2737165A417F66AA9D42B0A03F9679,SHA256=C81E63A281A5FCC3A3C2385310794B95C8299544C47611044992757CD5B2A7B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:57.064{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4F2DE17F11892BE6D06AAC71E434C08,SHA256=48E812F932FCD7D822CC406F3B7223401AD746690B0CFD49D5130FFA26F23C17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:58.983{72106695-ED09-63D0-1C00-00000000BB02}1892NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\respondent-20230125084915-067MD5=4A845FE96E1CB901D2D7264E475C5D0A,SHA256=805658FE4E43678F2368D193C16F752D5AE58460E17C63B3F32526AFB5DF27A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:56.122{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50531-false10.0.1.12-8000- 23542300x800000000000000035726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:58.528{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B5B1F1D9B7AFB79F95B743FE213B297,SHA256=45E3E77305A57A5269E0697B8751AAAB491B461497F53CF9418D447A47684033,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:58.180{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69942D9473A01199E23C37CDAD7F3379,SHA256=D0D7587E2DB869555F841B3EA16F5925C45AB8FE38675D2BC92EA0133365AAF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:58.310{72106695-ED09-63D0-2000-00000000BB02}2008NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=68BB4D6545D0B09EF51DD722DA166326,SHA256=9971BCF5B28F2C3218959067C3D1D2C43BE943D9ECC6D082207370D536123FE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:59.992{72106695-ED09-63D0-1C00-00000000BB02}1892NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\surveyor-20230125084913-068MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:58:59.616{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97BFF9F21614B852B449BBA8D931D8F0,SHA256=048CC7B7157F2F6C9B11704C42552CF3A287FCB69FFBB561DFE7FAA5DC75771C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000078452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:57.835{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49441-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000078451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:58:59.235{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B803E5C4FF34721A6A9445B793C1CBA9,SHA256=DADC9251F492676DDF6FDE4E72D4E038E650AD5D950F23A398F2B365DED8995F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:00.983{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000035748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:00.981{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1C00-00000000BB02}1892C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000035747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:00.980{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1A00-00000000BB02}1856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000035746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:00.975{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1800-00000000BB02}1732C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000035745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:00.973{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1700-00000000BB02}1240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000035744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:00.961{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1600-00000000BB02}1192C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000035743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:00.941{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1500-00000000BB02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000035742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:00.933{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1400-00000000BB02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000035741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:00.928{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1300-00000000BB02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000035740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:00.922{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1200-00000000BB02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000035739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:00.916{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1100-00000000BB02}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000035738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:00.911{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1000-00000000BB02}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000035737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:00.906{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0F00-00000000BB02}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000035736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:00.899{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0E00-00000000BB02}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000035735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:00.893{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0D00-00000000BB02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000035734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:00.886{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000035733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:00.880{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0B00-00000000BB02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000035732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:00.878{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0900-00000000BB02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 23542300x800000000000000035731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:00.698{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A736FE433DD2B5B7FAD9E0F1ABE1C14D,SHA256=860CA3A087C4EC8A9719F38B50C0EF70A20C65BDD18A4FAC9D8EE6051870C2A5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:00.993{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1100-00000000BA02}704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:00.947{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1000-00000000BA02}444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:00.931{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0F00-00000000BA02}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:00.922{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0E00-00000000BA02}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:00.895{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0D00-00000000BA02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:00.880{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0C00-00000000BA02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:00.825{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:00.821{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0900-00000000BA02}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 23542300x800000000000000078453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:00.285{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C83AA964C418C8029989BF60CDD5B751,SHA256=D1B6284DD85032D864B86815F32C82F0F01974E5176BADB0AACC407EC8FDA5DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:01.872{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0E16A26AE54A779ADFD6233ED333BED,SHA256=A6B1A022E5C47062C6E0DA360681D3132A0BD4469E4198E3D8DF94BFF02ECB43,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:01.667{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2E00-00000000BA02}2692C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:01.662{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:01.659{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2B00-00000000BA02}2664C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 23542300x800000000000000078476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:01.325{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3A898E998C3775CD8CCA3B1165F0086,SHA256=BE94BC4EB1B48EFFCE25718E68E21B5EE765B214FA9764730D01C869FB77AF91,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:01.034{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FB5F-63D0-3102-00000000BB02}3068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000035759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:01.031{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED83-63D0-8200-00000000BB02}508C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000035758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:01.028{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED1B-63D0-6D00-00000000BB02}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000035757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:01.027{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000035756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:01.025{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-4000-00000000BB02}1980C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000035755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:01.022{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-3C00-00000000BB02}2964C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000035754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:01.021{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2B00-00000000BB02}2876C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000035753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:01.020{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2600-00000000BB02}2596C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000035752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:01.017{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2500-00000000BB02}2436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000035751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:01.012{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2200-00000000BB02}1172C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000035750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:01.001{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000078475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:01.111{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:01.103{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:01.097{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:01.087{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2700-00000000BA02}2576C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:01.085{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2600-00000000BA02}2568C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:01.075{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2500-00000000BA02}2484C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:01.072{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED14-63D0-2300-00000000BA02}2340C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:01.070{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1800-00000000BA02}1992C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:01.067{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1700-00000000BA02}1492C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:01.057{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1600-00000000BA02}1324C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:01.035{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1500-00000000BA02}1152C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:01.028{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1400-00000000BA02}344C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:01.018{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1300-00000000BA02}364C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:01.003{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1200-00000000BA02}408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 23542300x800000000000000078480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:02.371{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43C3538BBFF5F524864F59474CDCE087,SHA256=21746CA39BB41C8DDC4E8201F7A6585F20791DFCB6E5807DE9C2D4EBED869EF0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:03.715{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3300-00000000BA02}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:03.713{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3100-00000000BA02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:03.710{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2F00-00000000BA02}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 23542300x800000000000000078481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:03.488{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77CE0C995D24098F9104173A81E2FE9C,SHA256=EE0614883533F8126CE5AEB6DFB8CDED6DF1A14E4F6F55D0B0C3D9F52951F4F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:03.001{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A98A585F3F040CDE16962927A5126425,SHA256=7C657B58693E3FE4BCD86D7CAF2F1B597E82C87E02A7CF50E58DA28A95C33283,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:04.676{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99E-63D0-4403-00000000BA02}4716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:04.666{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4303-00000000BA02}220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:04.646{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4203-00000000BA02}8108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:04.634{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99C-63D0-4103-00000000BA02}4940C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:04.628{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F998-63D0-3F03-00000000BA02}6856C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:04.624{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F993-63D0-3A03-00000000BA02}5848C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:04.610{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F990-63D0-3703-00000000BA02}5072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:04.602{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F990-63D0-3603-00000000BA02}7836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 23542300x800000000000000078507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:04.584{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01CEFC6E79C197D3E693AFD9DBFFCE3E,SHA256=98EA80C9E734DD3755DCB3C6521D0BECECC88F986263A05ADB32763289DB61C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:04.583{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3403-00000000BA02}8152C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:04.562{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3303-00000000BA02}5868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:04.550{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3203-00000000BA02}1380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:04.515{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3103-00000000BA02}7700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 354300x800000000000000035764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:01.944{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50532-false10.0.1.12-8000- 23542300x800000000000000035763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:04.098{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB8CC866ADEF27DB2AD8B895CD654270,SHA256=4E6AD54AF468FE7C89587F74EDEB7168DF7FFCA776804C244636F0629152A86A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:04.478{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:04.413{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:04.411{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A202-00000000BA02}5720C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:04.407{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A102-00000000BA02}7492C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:04.400{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F3FF-63D0-5202-00000000BA02}7716C:\Program Files\Process Hacker 2\ProcessHacker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:04.397{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED93-63D0-C200-00000000BA02}5684C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:04.349{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:04.326{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:04.293{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:04.283{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-8E00-00000000BA02}432C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:04.262{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4D-63D0-8900-00000000BA02}4888C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:04.253{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED36-63D0-8100-00000000BA02}4176C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:04.248{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED35-63D0-7F00-00000000BA02}3432C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:04.241{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED2C-63D0-7B00-00000000BA02}532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:04.237{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:04.234{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1B-63D0-4500-00000000BA02}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:04.228{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-4100-00000000BA02}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000078485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:04.227{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-3800-00000000BA02}3276C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 354300x800000000000000078517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:03.675{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49442-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000078516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:05.595{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8FD7144EB549B83EBB644CF759C8AB3,SHA256=D8CC9FB4374F7F1B3E6176927CCAE8344C643C1F4FB5B377C1A115F8AAFBE6DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:05.206{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF4D9BEBB4CDD8B713C0A1FF4B85426E,SHA256=405787CDFCA090ED86CD546C5420DDFA1FA4C7250945C9CC03EF7684359E8368,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:06.676{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E79FC1D2A015913C43F09C7D46C89D3A,SHA256=833964644D831F5A61E4956E212F56CBC2FA016ADE84E4D7DD6CE1810A3AC283,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:06.301{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D732DCB17201EF6715BEDA38965EA61,SHA256=949F430DFDCAEF1E0474D7448F39FD904046877C10D5F00FA3864B8115DF9830,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:07.777{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E011DCFABCC2D12B0C5240D14FC098D4,SHA256=D0A0DD7AF612EEDCB294D42C068ED7678322904C38E079C0E7C0B3397A344869,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:07.413{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F38DA404DC0BED16DED7BDE306B3CCE,SHA256=FE9E90966A33811580708F6BE5401D0B43171B321D275B3FB6E819D2BA3D0155,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:08.892{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=711E59312FE022CE8249AAE58D2114B5,SHA256=71A101593E9AE0C0250EF71CB9AACF01A0473DB61269D9D2CE61F1BF59B53D0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:08.532{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A78590F95DBB911AEEED98D04EF9A4E,SHA256=3DD8942332BD34FCB15B5D9AD3FBE76EA9769C96C3D1E2197D0C18DADE88DAB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:09.993{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA576E39245300DA1C8D50CFBC62D1F7,SHA256=5A5E1F5AD355496B3034429050D62D7769045A17F42FBCEC88EC950C1FBA94EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:06.994{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50533-false10.0.1.12-8000- 23542300x800000000000000035769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:09.646{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72CC24FC742E3DE20F0A380058CCDA3E,SHA256=E9871FA8A7CB0BD0D6ED9C49D200108681D5E3C3B5F0ECB91C99DF99E91B1C8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:10.742{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C824D93755B52050E1552C942881DDC,SHA256=3230C09DECA628025C1DB3DF627344B7441333B85F22E8CBFE0A13E19ADD2F38,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000078522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:08.809{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49443-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000035772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:11.844{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99028A8592E4F9BD5383DE36046F77B2,SHA256=42776077032AA2F1591B39C47EB4B7FCD674EB28B9434080BCFF15F0EDE53F4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:11.093{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=177E1F94D4A69141AB4FEDD6A00DD5DF,SHA256=B93B05687442B8AF42FC899E24D5E99553ABB79F132B74F3D17131575809FFA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:12.954{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52B3509DA3283283F59377EC2A762761,SHA256=E2022DD1B2F61630589763202DF45341B081233025B092FA370EA6A52726F72E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:12.194{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67957996721F23A748908B2328D6977D,SHA256=37ED41B9DAB6631FD8102DDDD72317CA423590B3985E0F8064A5C79A99E9912D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:13.738{45AAC21C-ED18-63D0-2F00-00000000BA02}2700NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\respondent-20230125084931-067MD5=FB1204BD5E1FCB9F00F3D30191CDD410,SHA256=AD3DE377B45C073DC7811942D8C17D2EDF88FCE93F4C4FD49345F5808DA79585,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:13.270{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D8CFFA9AB7CE4990797B6B4889A94E5,SHA256=412D12DF65E54C71E3A2CA6F283A44D30C07D126BDE85ACFC2A57E1F673267C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:14.802{45AAC21C-ED18-63D0-2C00-00000000BA02}2672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=613000947C89DC5DB48E21FFB4CBCD26,SHA256=7BE22B57BE3390F46ADA1D02B82386F7F133D5F35A9A3A20F01552F35DBD268E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:14.736{45AAC21C-ED18-63D0-2F00-00000000BA02}2700NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\surveyor-20230125084929-068MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:14.349{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBB4A137D033531EC60B3E4B07F24376,SHA256=8F52D854E874740FB30EDBF31E6AE14E1902F475EEC89C8AFAFB5D780F2D93C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:14.637{72106695-ED08-63D0-1100-00000000BB02}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=77273CEBC9F434A1C29C4925DE889C73,SHA256=74982D73EC3A032C0847548BFA7FAAC153974D9F1E7CB84A8BFC1240D56CFDFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:14.062{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13EF086D818372B75A8D403921EACD11,SHA256=11D714F32F0630EFB2ABF2A6B5E0C241DF8C1A1DD2B3E0DF21B1B16D916AEB6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:15.935{45AAC21C-ED0A-63D0-1100-00000000BA02}704NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=71B668B8AEC264244ED27D21A018A84A,SHA256=EB6F6DF5C902E7604C63280FB92D8F5E460C9F361D0131C599A5934CA8632A2B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:15.503{45AAC21C-ED0A-63D0-1000-00000000BA02}4445876C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bca3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+2c9ae|C:\Windows\system32\wbem\wbemcore.dll+202cc|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22baa|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:15.503{45AAC21C-ED0A-63D0-1000-00000000BA02}4445876C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bca3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+2c9ae|C:\Windows\system32\wbem\wbemcore.dll+202cc|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22baa|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000078530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:15.365{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1047077EF9920554C9B807DCEDCDEB5A,SHA256=97204C6A86AB7C5B5E17ABCDAC3A1EE1F7A871072E51B863DB931198F8687D8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:15.176{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C94B10904B406B22D11D878CA92BC1C,SHA256=39580A4746308348BD3EADB42CA391AE02A0FC9E27E8E48AC451FE8B892C62F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000078535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:14.715{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49444-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000078534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:16.437{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10EB309D7D6B8AC8160049A85019C7AC,SHA256=7D5DC8653C1169377294EB41F6440A140CBC76343C17D1CB1A003076C535AE96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:16.269{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A0CD499898101AADF4738415A0CC613,SHA256=D9AF48997D7C7CFC56F79EE74D2BA487413985EE1C334832AA451920D06DA003,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:12.038{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50534-false10.0.1.12-8000- 23542300x800000000000000078536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:17.558{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7C0013F16D7673C1969D177AF6EC603,SHA256=F4BA3DCEB5A3E17E4BA7AFC8A58F100A1F5BDF3CECED4DA930B9BCB0874762DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:17.374{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C08A4DB4EBC28085A77AEC0B76B5E392,SHA256=FD972D3C5BD8206AC44197A2FCD0BA254CE6BB43344244F749B9804A8557DF5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:18.601{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EAFD3278B9996D6396DD8B7792E0C5F,SHA256=1FEEFBE66D7A9CB355E1BCC7CDE4E11127B288BC216D89D4519D03FF23AF5968,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:18.461{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14D4A389BB93C567EA49E1462B2E97AD,SHA256=1F93B58CD9F28D820844CD3EB3E08371D2CD4835976D87E46298540461597923,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:18.485{45AAC21C-ED18-63D0-2C00-00000000BA02}2672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:19.557{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE7B45FA042611BD1AF4906A2C1377B6,SHA256=65AA6C6ECCAB7787C2652156185EFC423FFEB070E97F07C51E62EBD2B46830F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:19.721{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98967F757F53D2FC8C1AE93FC3F00361,SHA256=7B2DE32B32D1026C3C7E460FA94D4A4EA8C0CC2C4D835CA76DAF89B17E8C708C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:19.438{45AAC21C-ED08-63D0-0B00-00000000BA02}636812C:\Windows\system32\lsass.exe{45AAC21C-ED06-63D0-0100-00000000BA02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97b62|C:\Windows\system32\kerberos.DLL+79e38|C:\Windows\system32\kerberos.DLL+144ff|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+2d8f6|C:\Windows\system32\lsasrv.dll+33189|C:\Windows\system32\lsasrv.dll+30ad7|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+17a7d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000035801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:20.996{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000035800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:20.994{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1C00-00000000BB02}1892C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000035799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:20.993{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1A00-00000000BB02}1856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000035798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:20.987{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1800-00000000BB02}1732C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000035797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:20.985{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1700-00000000BB02}1240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000035796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:20.976{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1600-00000000BB02}1192C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000035795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:20.955{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1500-00000000BB02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000035794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:20.949{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1400-00000000BB02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000035793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:20.944{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1300-00000000BB02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000035792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:20.937{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1200-00000000BB02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000035791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:20.927{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1100-00000000BB02}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000035790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:20.921{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1000-00000000BB02}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000035789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:20.916{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0F00-00000000BB02}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000035788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:20.910{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0E00-00000000BB02}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000035787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:20.904{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0D00-00000000BB02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000035786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:20.898{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000035785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:20.891{72106695-ED09-63D0-1F00-00000000BB02}20002852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0B00-00000000BB02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x800000000000000035784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:20.885{72106695-ED09-63D0-1F00-00000000BB02}20002852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0900-00000000BB02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 23542300x800000000000000035783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:20.663{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5D1BE468C2540F497A0952C3A06EE66,SHA256=2BC681C4B5072557DBDE450BADDAF1E9274DC0F5E8A1DA2DC7627169AFEEA01E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:20.996{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1300-00000000BA02}364C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:20.986{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1200-00000000BA02}408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:20.975{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1100-00000000BA02}704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:20.941{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1000-00000000BA02}444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:20.916{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0F00-00000000BA02}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:20.905{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0E00-00000000BA02}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:20.889{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0D00-00000000BA02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:20.869{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0C00-00000000BA02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:20.824{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 23542300x800000000000000078544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:20.823{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1C79508B0FB1D3912CF848036B25934,SHA256=068A0788AAF50DDEC9E18FE61AF79E1497F3A4D1BDDE3DB6CA6EACB9DF703C36,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:20.819{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0900-00000000BA02}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 354300x800000000000000035782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:17.121{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50535-false10.0.1.12-8000- 23542300x800000000000000078542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:20.486{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0419440C9D7762E29F4594B77766D07,SHA256=D9438D71E3039BF572622F307F70169F8ED8D04EB05786BD82C4932414B383E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000078541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:18.102{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49445-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000035813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:21.974{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2FD1E91D546A11A88C91A258229F760,SHA256=B774EE960AC11488CB5A0A0F47219DFCD54D8F83D9BB5E35530D120EAAE38C5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:21.857{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98A30AC1401D28743CA42DC814006251,SHA256=3AEE9870332AA24876D81DD6655F0D7EB3A03AE61DDD18D1619DF1FE76DEA07C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:21.047{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FB5F-63D0-3102-00000000BB02}3068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000035811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:21.042{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED83-63D0-8200-00000000BB02}508C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000035810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:21.039{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED1B-63D0-6D00-00000000BB02}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000035809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:21.034{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000035808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:21.033{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-4000-00000000BB02}1980C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000035807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:21.030{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-3C00-00000000BB02}2964C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000035806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:21.028{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2B00-00000000BB02}2876C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000035805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:21.027{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2600-00000000BB02}2596C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000035804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:21.020{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2500-00000000BB02}2436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000035803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:21.012{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2200-00000000BB02}1172C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000035802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:21.010{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000078570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:21.755{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2E00-00000000BA02}2692C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:21.752{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:21.748{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2B00-00000000BA02}2664C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 354300x800000000000000078567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:19.073{45AAC21C-ED06-63D0-0100-00000000BA02}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49446-false10.0.1.14win-dc-ctus-attack-range-460.attackrange.local445microsoft-ds 354300x800000000000000078566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:19.073{45AAC21C-ED06-63D0-0100-00000000BA02}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49446-false10.0.1.14win-dc-ctus-attack-range-460.attackrange.local445microsoft-ds 10341000x800000000000000078565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:21.084{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:21.076{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:21.068{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:21.061{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2700-00000000BA02}2576C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:21.059{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2600-00000000BA02}2568C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:21.048{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2500-00000000BA02}2484C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:21.043{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED14-63D0-2300-00000000BA02}2340C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:21.040{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1800-00000000BA02}1992C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:21.038{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1700-00000000BA02}1492C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:21.028{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1600-00000000BA02}1324C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:21.009{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1500-00000000BA02}1152C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:21.004{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1400-00000000BA02}344C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 23542300x800000000000000078573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:22.942{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7295792A1F0BA325027645DACFD82373,SHA256=AD6F91786B6DF7B24F0A66055BC41B7FCDFEA11F37586FE2B344052C898A17D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000078572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:19.818{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49447-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000035818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:23.232{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED08-63D0-0B00-00000000BB02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:23.232{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED08-63D0-0B00-00000000BB02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:23.232{72106695-ED08-63D0-0B00-00000000BB02}6243468C:\Windows\system32\lsass.exe{72106695-ED08-63D0-1500-00000000BB02}108C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:23.219{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1F00-00000000BB02}2000C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000035814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:23.073{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01388093BFB433DA267CEC8961888F84,SHA256=1598A16F2B716ACC1F242796CE270B6D0EB021C4CC719E92631BBA007FDD917E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:23.816{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3300-00000000BA02}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:23.813{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3100-00000000BA02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:23.807{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2F00-00000000BA02}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 23542300x800000000000000035819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:24.175{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25CA3CDEB9E4DEA8549ACD5FA818ABFD,SHA256=77050ED593C73ED7760EB867AD78206D5397619B7528B971428E1658980C93D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:24.688{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99E-63D0-4403-00000000BA02}4716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:24.683{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4303-00000000BA02}220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:24.679{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4203-00000000BA02}8108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:24.670{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99C-63D0-4103-00000000BA02}4940C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:24.659{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F998-63D0-3F03-00000000BA02}6856C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:24.657{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F993-63D0-3A03-00000000BA02}5848C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:24.652{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F990-63D0-3703-00000000BA02}5072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:24.647{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F990-63D0-3603-00000000BA02}7836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:24.642{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3403-00000000BA02}8152C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:24.638{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3303-00000000BA02}5868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:24.632{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3203-00000000BA02}1380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:24.618{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3103-00000000BA02}7700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:24.613{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:24.613{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:24.613{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:24.613{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:24.613{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:24.613{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:24.612{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:24.612{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:24.612{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:24.611{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:24.611{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:24.611{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:24.611{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:24.611{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:24.611{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:24.611{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:24.611{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:24.611{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:24.611{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:24.611{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:24.611{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:24.611{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:24.611{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:24.611{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:24.611{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:24.611{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:24.610{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:24.610{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:24.610{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:24.610{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:24.610{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:24.610{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:24.610{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:24.610{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:24.610{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:24.609{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2B00-00000000BA02}2664C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:24.609{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2B00-00000000BA02}2664C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:24.580{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:24.542{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:24.540{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A202-00000000BA02}5720C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:24.537{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A102-00000000BA02}7492C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:24.529{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F3FF-63D0-5202-00000000BA02}7716C:\Program Files\Process Hacker 2\ProcessHacker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:24.519{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED93-63D0-C200-00000000BA02}5684C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:24.471{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:24.451{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:24.402{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:24.388{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-8E00-00000000BA02}432C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:24.360{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4D-63D0-8900-00000000BA02}4888C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:24.351{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED36-63D0-8100-00000000BA02}4176C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:24.348{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED35-63D0-7F00-00000000BA02}3432C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:24.339{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED2C-63D0-7B00-00000000BA02}532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:24.336{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:24.335{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1B-63D0-4500-00000000BA02}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:24.331{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-4100-00000000BA02}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:24.328{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-3800-00000000BA02}3276C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 23542300x800000000000000078577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:24.043{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F216E66855CF9A0BFE11F661D94D004,SHA256=112447E19BBFFAD2D416E7A358153BE4D73E2AAED7FF610E139B4289BEE7AB20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:25.286{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAB7BCF1322AFF93AD542CFDC4DD4A34,SHA256=F3B2B406F187544111BB5140F43C9193E2DEF61C4052EE2516D68B0A81B5575C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:25.212{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C4220BA4FC487773F51519FB468E269,SHA256=B39D640FBA1D2E2E88B14D23168E2F79AE3A42A7A1A9417808F96641519D70D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:25.207{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5972F2A4B3C6E939D5AE9DAC4BA8664,SHA256=E3DD22492BB63078429AF887A05547F42729E426455EC640BB9EEECBF4821874,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:26.585{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FD7E-63D0-7102-00000000BB02}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:26.585{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:26.585{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:26.585{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:26.585{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:26.585{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:26.585{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:26.585{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:26.585{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:26.585{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:26.585{72106695-ED07-63D0-0500-00000000BB02}408424C:\Windows\system32\csrss.exe{72106695-FD7E-63D0-7102-00000000BB02}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:26.585{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FD7E-63D0-7102-00000000BB02}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:26.586{72106695-FD7E-63D0-7102-00000000BB02}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:26.376{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93F928A0ED85FDEE0D1A44A4771FF14F,SHA256=D5DF0847CA428305A474A2217E726031030542D05ADF1DF2778CB5B5D9C14AB6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:22.985{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50536-false10.0.1.12-8000- 354300x800000000000000078648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:24.877{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49448-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000078647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:26.292{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFF879A05D9BEB719F3B73D5A88FABEA,SHA256=923904AC4B0648838E38790F68ECCACE15D249D17678855DA09D2F0372D3557F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:26.240{72106695-ED09-63D0-2000-00000000BB02}2008NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:27.408{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=444254B311ED7EA3642FB85EFFD257C6,SHA256=4984972FD34D1CB98F9FD4A56D99FE13DFD45CAC9DF487B64B1EA98BCD4A59D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:27.751{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FD7F-63D0-7302-00000000BB02}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:27.751{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:27.751{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:27.751{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:27.751{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:27.751{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:27.751{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:27.751{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:27.751{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:27.751{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:27.751{72106695-ED07-63D0-0500-00000000BB02}4082644C:\Windows\system32\csrss.exe{72106695-FD7F-63D0-7302-00000000BB02}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:27.751{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FD7F-63D0-7302-00000000BB02}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:27.752{72106695-FD7F-63D0-7302-00000000BB02}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:27.689{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C00B0A0A5F648A83FC7DABBE983256F9,SHA256=C7CA15308C8B34075C3A561F0429309B47C30AC271170AAACE47819BACEDA919,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:27.532{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8DA06FDDAE877ADE142BB17E49A969A,SHA256=5A01659B555629F3BD224ABCB9DD99246D453849F76B46469EA41D058722EA7D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:27.417{72106695-FD7F-63D0-7202-00000000BB02}39003592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000035850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:27.355{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=3F39AA3B9ADC371B56B40045FA410569,SHA256=2C361FB9F59853B14CFBC4DFA2B2DFD3F160D762A187ADBF6BDBD6C1D773E09D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:27.255{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FD7F-63D0-7202-00000000BB02}3900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:27.253{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:27.253{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:27.253{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:27.253{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:27.253{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:27.253{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:27.252{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:27.252{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:27.252{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:27.252{72106695-ED07-63D0-0500-00000000BB02}408524C:\Windows\system32\csrss.exe{72106695-FD7F-63D0-7202-00000000BB02}3900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:27.252{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FD7F-63D0-7202-00000000BB02}3900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:27.252{72106695-FD7F-63D0-7202-00000000BB02}3900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000035883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:28.984{72106695-FD80-63D0-7402-00000000BB02}952824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:28.843{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FD80-63D0-7402-00000000BB02}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:28.843{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:28.843{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:28.843{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:28.843{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:28.843{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:28.843{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:28.843{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:28.843{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:28.843{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:28.843{72106695-ED07-63D0-0500-00000000BB02}4081028C:\Windows\system32\csrss.exe{72106695-FD80-63D0-7402-00000000BB02}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:28.843{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FD80-63D0-7402-00000000BB02}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:28.844{72106695-FD80-63D0-7402-00000000BB02}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000035869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:25.116{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50537-false10.0.1.12-8089- 23542300x800000000000000035868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:28.554{72106695-ED09-63D0-2000-00000000BB02}2008NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=01F663FCDF4B00A0A1484BFC0125CC41,SHA256=59C272E04F2F4E057BF8E7CCDADE44C62A9AB69FE85C9606559E441560152483,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:28.455{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA346BE177BDB7FA7197D89BA9002CBA,SHA256=F481F54D7BB9AD5C646CC2CE519325014673739A6868D2FA97512E6027BC101B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:28.510{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F28A212297DD07D47E5B2C587718EC0,SHA256=E5D20B4B0D153CB5F2ACC7596C31D1EEEBC9BB305DAC2F77681171AB0D705C3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:29.580{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=329E910276C792213D5FE9DC6C6A47C9,SHA256=508EEB57F6FACCA329BFFC025ED4146CEA59DB3B54C5B9D99275991802A9BF61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:29.531{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75A4678324385EC1ACD62BC2EEB776F3,SHA256=C642F6CA838907955DB165595A677B96A821EC6075F55EBA0A1CECFCE75D3473,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:30.549{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E406A0752EF7EF66C79D5E2AD92F9E9E,SHA256=8D90B20FFCEFCDC0ABD244E6AF465D3795F1C4E1804A9BDD91DB7CD210C78402,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:30.832{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FD82-63D0-7602-00000000BB02}3180C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:30.832{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:30.832{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:30.832{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:30.832{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:30.832{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:30.832{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:30.832{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:30.832{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:30.832{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:30.832{72106695-ED07-63D0-0500-00000000BB02}408424C:\Windows\system32\csrss.exe{72106695-FD82-63D0-7602-00000000BB02}3180C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:30.832{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FD82-63D0-7602-00000000BB02}3180C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:30.833{72106695-FD82-63D0-7602-00000000BB02}3180C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:30.653{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=666764A8589ED0DAD32426B6B7710F8B,SHA256=BECB7FE2FDAD43D0A41D691C150E95E26AAD29762B450FBDCACA469B08EC160A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:30.366{72106695-FD82-63D0-7502-00000000BB02}9362920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:30.306{72106695-ED09-63D0-1F00-00000000BB02}20002816C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FD82-63D0-7502-00000000BB02}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D383D0) 10341000x800000000000000035902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:30.306{72106695-ED09-63D0-1F00-00000000BB02}20002816C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FD82-63D0-7502-00000000BB02}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D383D0) 10341000x800000000000000035901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:30.305{72106695-ED09-63D0-1F00-00000000BB02}20002816C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FD82-63D0-7502-00000000BB02}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D383D0) 10341000x800000000000000035900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:30.304{72106695-ED09-63D0-1F00-00000000BB02}20002816C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FD82-63D0-7502-00000000BB02}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D383D0) 10341000x800000000000000035899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:30.304{72106695-ED09-63D0-1F00-00000000BB02}20002816C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FD82-63D0-7502-00000000BB02}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D383D0) 10341000x800000000000000035898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:30.304{72106695-ED09-63D0-1F00-00000000BB02}20002816C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FD82-63D0-7502-00000000BB02}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D383D0) 10341000x800000000000000035897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:30.161{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FD82-63D0-7502-00000000BB02}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:30.161{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:30.161{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:30.161{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:30.161{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:30.161{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:30.161{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:30.161{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:30.161{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:30.161{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:30.161{72106695-ED07-63D0-0500-00000000BB02}408524C:\Windows\system32\csrss.exe{72106695-FD82-63D0-7502-00000000BB02}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:30.161{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FD82-63D0-7502-00000000BB02}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:30.162{72106695-FD82-63D0-7502-00000000BB02}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000078654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:31.564{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68707A28FACE5F9D1B2A8111F9EC33D7,SHA256=9992340646994EACAA05458B61F1953BA469DFB202B355FEC3F9248692B3B371,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:31.748{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0310E8C59007AE3D5FDFF18758D9875,SHA256=90706391E966C40EF5BD688ADFAD28A369DFE40C61E5D4983C39C75F1348EA9C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:28.053{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50538-false10.0.1.12-8000- 23542300x800000000000000078653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:31.464{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5FB9504267EB8B529AB06E525D8C1683,SHA256=0581B84010D4F92FF15288414E1E2A3D29F9C883F74B2BA5B42BA12432FE6991,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:31.067{72106695-FD82-63D0-7602-00000000BB02}31801448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:32.893{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FD84-63D0-7702-00000000BB02}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:32.893{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:32.893{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:32.893{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:32.893{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:32.893{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:32.893{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:32.893{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:32.893{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:32.893{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:32.893{72106695-ED07-63D0-0500-00000000BB02}4081028C:\Windows\system32\csrss.exe{72106695-FD84-63D0-7702-00000000BB02}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:32.893{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FD84-63D0-7702-00000000BB02}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:32.894{72106695-FD84-63D0-7702-00000000BB02}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:32.846{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE9471BB5A4E258B37BB835E0959ABDD,SHA256=F8E5DA14EAF56BC342230A3434B59E82846043A586D75B0BBA53C90573A43790,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:32.680{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A694FFC8FC3B7B380CEC22C0BB664376,SHA256=0DF7DAC0D45733EE7A598224493017D15B56599482F3609C8BC6A44CBB2DCCC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:33.945{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34B8D5A0B3513AFDE72DD1EFEAD44D5C,SHA256=A8CD5E2A6FAE8B1FE5221CB76CEC0A02EE2F80954FCFEB0A60C57CF7C3F73B82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:33.787{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14A525983E6F2AB411715D555410A812,SHA256=943F2021B83262DD448A3689382544D2B46BC33171F9EA5F02C229B34DB2D271,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000078656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:30.798{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49449-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000078658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:34.814{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47224F9F6895B505B4230B102C838B48,SHA256=EB0440F2456E88E09D4B5FE45AD7217DCE0FF53DB5244580ACEAF6A51662E25F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:34.054{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC35A54E105D7968A2C7362F026A0D8D,SHA256=22CB951706299724BF1919B8DB6A1EDC5073215771F7A2AB7A3B520EF0989E4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:35.919{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F92AF36D4FCACABF140E76C7580C327,SHA256=B98700A122E5C9B14A7D48BDB854312AD824B73D6A5546E14CBA3201DFBC0068,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:35.032{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EB2656FA3027B7FE5D8A022C0962118,SHA256=B2167FDFEFFBC65341A7CEF7CC5C64DDEDE4550DB39FBC8751C1D788D7EB4AC0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:33.097{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50539-false10.0.1.12-8000- 23542300x800000000000000035939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:36.115{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B711EE0C284749E19E839C09C6B92B9,SHA256=B7CAE41B03C70D9E61DD73A8E25CC101B855CFD1ADCB844842D8BDAE17D3FF19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:37.199{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F015EBB69F8DC285B4321F4D383A41E,SHA256=6AEF9A02AC1AE01E0C0BD89DD03A5158B2530122C08AB5670A28510EBFE7A0BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:37.035{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F44DB38F9CE5AB863195D31FE8DE5FEE,SHA256=B1543EDA557A56D30119A6EF969627098F436A7E907EB42BE61FCBC4B690CFD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:38.304{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5559D8F3189F7EA6FF296FA104C628B0,SHA256=32FFA13B2067AA0A1A0EA6E2B374C2B44D93100ADDB3BBA62140326CAB33B2C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:38.154{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D54F67422F9FDE5587061AC93537ACB,SHA256=77D2346A6E527A916C83E9DF627D1884B7ADE7A70D49C21BF7BD335E15122582,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:39.395{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9477A916A3EF43307B30294BCBDA2D7F,SHA256=10D815B1A1F26D6E518540820DC1AA49B328EC57467965EACD144736F58CD7FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000078663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:36.701{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49450-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000078662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:39.256{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98F6A0D7BB3956B1DF946AFA959D9189,SHA256=6DC3C7CD71D694036DEA7CF97131B8269C2310FB17B2F210FCDAD65329FA3351,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:40.997{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1A00-00000000BB02}1856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000035959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:40.990{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1800-00000000BB02}1732C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000035958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:40.988{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1700-00000000BB02}1240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000035957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:40.977{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1600-00000000BB02}1192C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000035956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:40.951{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1500-00000000BB02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000035955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:40.943{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1400-00000000BB02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000035954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:40.937{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1300-00000000BB02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000035953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:40.930{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1200-00000000BB02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000035952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:40.923{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1100-00000000BB02}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000035951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:40.918{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1000-00000000BB02}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000035950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:40.912{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0F00-00000000BB02}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000035949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:40.903{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0E00-00000000BB02}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000035948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:40.897{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0D00-00000000BB02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000035947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:40.891{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000035946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:40.884{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0B00-00000000BB02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000035945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:40.881{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0900-00000000BB02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x800000000000000035944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:40.507{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBE4ACF069511B13F410FE02F13E574C,SHA256=028B481A8E2B0091BF41E7C773ED8F53BDDE025C167A11B39922CFF9ADA77A90,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:40.995{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:40.986{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2700-00000000BA02}2576C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:40.984{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2600-00000000BA02}2568C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:40.978{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2500-00000000BA02}2484C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:40.975{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED14-63D0-2300-00000000BA02}2340C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:40.973{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1800-00000000BA02}1992C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:40.971{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1700-00000000BA02}1492C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:40.965{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1600-00000000BA02}1324C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:40.954{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1500-00000000BA02}1152C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:40.947{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1400-00000000BA02}344C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:40.937{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1300-00000000BA02}364C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:40.925{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1200-00000000BA02}408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:40.917{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1100-00000000BA02}704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:40.885{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1000-00000000BA02}444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:40.869{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0F00-00000000BA02}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:40.862{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0E00-00000000BA02}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:40.851{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0D00-00000000BA02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:40.843{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0C00-00000000BA02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:40.813{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000078665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:40.810{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0900-00000000BA02}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 23542300x800000000000000078664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:40.272{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11A1748C3D154155F569046758AA260F,SHA256=29227C9D1C6E343DC95890BE1C3EFA05F8CCE13358D9851AF401FFD2B3427A25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:41.876{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=987C3783782628E4143D4B5B0A98821D,SHA256=DD9B8FE8C5AEDCB67D8C57907847D98C1B518BED27DE035228EA79D31056AD3A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:41.483{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2E00-00000000BA02}2692C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:41.478{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:41.474{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2B00-00000000BA02}2664C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 23542300x800000000000000078687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:41.345{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98937E1029D8941091CC26396CB85E39,SHA256=42066991E8E2305E115563A7D5AF4043FE518BE5231D376C2B8733AA40FFA94C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:41.030{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FB5F-63D0-3102-00000000BB02}3068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000035972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:41.028{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED83-63D0-8200-00000000BB02}508C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000035971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:41.026{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED1B-63D0-6D00-00000000BB02}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000035970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:41.024{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000035969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:41.023{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-4000-00000000BB02}1980C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000035968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:41.021{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-3C00-00000000BB02}2964C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000035967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:41.020{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2B00-00000000BB02}2876C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000035966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:41.019{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2600-00000000BB02}2596C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000035965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:41.017{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2500-00000000BB02}2436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000035964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:41.014{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2200-00000000BB02}1172C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000035963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:41.010{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000035962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:41.001{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000035961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:40.999{72106695-ED09-63D0-1F00-00000000BB02}20002532C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1C00-00000000BB02}1892C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000078686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:41.006{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:41.001{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:42.937{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FD8E-63D0-B803-00000000BA02}8084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000078704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:42.937{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FD8E-63D0-B803-00000000BA02}8084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000078703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:42.937{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FD8E-63D0-B803-00000000BA02}8084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000078702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:42.935{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FD8E-63D0-B803-00000000BA02}8084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000078701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:42.934{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FD8E-63D0-B803-00000000BA02}8084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000078700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:42.934{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FD8E-63D0-B803-00000000BA02}8084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000078699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:42.827{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FD8E-63D0-B803-00000000BA02}8084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:42.822{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:42.822{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:42.822{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:42.822{45AAC21C-ED08-63D0-0500-00000000BA02}420436C:\Windows\system32\csrss.exe{45AAC21C-FD8E-63D0-B803-00000000BA02}8084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000078694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:42.822{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:42.822{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FD8E-63D0-B803-00000000BA02}8084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000078692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:42.823{45AAC21C-FD8E-63D0-B803-00000000BA02}8084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000078691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:42.442{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A282FE6F539E85ED7601900BE80FD1AF,SHA256=9856476A11111269D381352790580C43EC7A158C80C277DF812AB2DA2A237CB2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:39.003{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50540-false10.0.1.12-8000- 23542300x800000000000000078727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:43.921{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9E1C5BB5E139904AB31CE64FFE17F44E,SHA256=D255584D5D4B1CCDCD5643506FA4D0CEB2FF57071D14074C45F2CB71858623AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:43.875{45AAC21C-FD8F-63D0-B903-00000000BA02}4724300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:43.668{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FD8F-63D0-B903-00000000BA02}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:43.665{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:43.665{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:43.665{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:43.665{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:43.664{45AAC21C-ED08-63D0-0500-00000000BA02}420780C:\Windows\system32\csrss.exe{45AAC21C-FD8F-63D0-B903-00000000BA02}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000078719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:43.664{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FD8F-63D0-B903-00000000BA02}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000078718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:43.664{45AAC21C-FD8F-63D0-B903-00000000BA02}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000078717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:43.629{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:43.629{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:43.628{45AAC21C-ED08-63D0-0B00-00000000BA02}6367276C:\Windows\system32\lsass.exe{45AAC21C-ED0A-63D0-1000-00000000BA02}444C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:43.607{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED5C-63D0-A400-00000000BA02}5320C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000078713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:43.518{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31D7866062F3D0A49CD8AF75DC8B8127,SHA256=66F79128C4C9D66239A078AEB4D551A72CDA74F76A3BD0615731FE855497A3F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:43.511{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3300-00000000BA02}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:43.509{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3100-00000000BA02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:43.506{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2F00-00000000BA02}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 23542300x800000000000000035976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:43.143{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A92A42650F6C6E1E3C4A65E1310FB4D,SHA256=04099A623554DED87AD862B73BB3D67D602A25004A46B7C8D5B818264C626932,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:43.071{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FD8E-63D0-B803-00000000BA02}8084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:43.071{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FD8E-63D0-B803-00000000BA02}8084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:43.069{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FD8E-63D0-B803-00000000BA02}8084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:43.069{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FD8E-63D0-B803-00000000BA02}8084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000078770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:44.676{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B04E43835DAE6F14D7979EB22B09DE3,SHA256=08A58032F07E63F4E372670CB732F3D1F31E2BD92C693B75BB075FC44642BB71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:44.676{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFFDC36EF919F84A6A89F1553F39E9E2,SHA256=CD300A31D5882CACD254C94289BB8E2D6B06E08C2CB15E10ECE1D405D08F4771,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:44.241{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1040DCC8A83365726E1ABB29E1E5949F,SHA256=F69F130E69D5B9B99228A8F97CC603B657BA3A20C8224F7C67F4B01535697A7F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:44.344{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FD90-63D0-BA03-00000000BA02}7436C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:44.344{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:44.344{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:44.344{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:44.344{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:44.344{45AAC21C-ED08-63D0-0500-00000000BA02}420436C:\Windows\system32\csrss.exe{45AAC21C-FD90-63D0-BA03-00000000BA02}7436C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000078762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:44.344{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FD90-63D0-BA03-00000000BA02}7436C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000078761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:44.345{45AAC21C-FD90-63D0-BA03-00000000BA02}7436C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000078760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:44.240{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99E-63D0-4403-00000000BA02}4716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:44.237{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4303-00000000BA02}220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:44.233{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4203-00000000BA02}8108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:44.230{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99C-63D0-4103-00000000BA02}4940C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:44.226{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F998-63D0-3F03-00000000BA02}6856C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:44.224{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F993-63D0-3A03-00000000BA02}5848C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:44.219{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F990-63D0-3703-00000000BA02}5072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:44.216{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F990-63D0-3603-00000000BA02}7836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:44.212{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3403-00000000BA02}8152C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:44.207{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3303-00000000BA02}5868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 354300x800000000000000078750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:41.777{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49451-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000078749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:44.205{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3203-00000000BA02}1380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:44.196{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3103-00000000BA02}7700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:44.174{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:44.154{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:44.149{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A202-00000000BA02}5720C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:44.147{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A102-00000000BA02}7492C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:44.143{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F3FF-63D0-5202-00000000BA02}7716C:\Program Files\Process Hacker 2\ProcessHacker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:44.139{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED93-63D0-C200-00000000BA02}5684C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 23542300x800000000000000078741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:44.139{45AAC21C-ED18-63D0-2C00-00000000BA02}2672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=B5545CB9661DDDB15523D7CE509C02D5,SHA256=66505BD9D7A80EE1780134FB9CFA6F2F551F1AE8B32C788E1ACBCCC3BBE7C206,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:44.109{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:44.092{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:44.060{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:44.052{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-8E00-00000000BA02}432C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:44.040{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4D-63D0-8900-00000000BA02}4888C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:44.032{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED36-63D0-8100-00000000BA02}4176C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:44.030{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED35-63D0-7F00-00000000BA02}3432C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:44.026{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED2C-63D0-7B00-00000000BA02}532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:44.023{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:44.021{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1B-63D0-4500-00000000BA02}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 23542300x800000000000000078730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:44.016{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=D251107485476B9E755472435310D5B6,SHA256=A371E3589E29383C686F9AB88D4E742DD3EC4C229F304DFAB1A77020642B3623,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:44.015{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-4100-00000000BA02}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:44.014{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-3800-00000000BA02}3276C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 23542300x800000000000000078773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:45.777{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A151E84960A9A25BDBF88C0CC335DC66,SHA256=8F1C4206EF8BF617176906839636DADBC2E0DCFE0139255A61D6DF2B61430153,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:45.336{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6007A216415528739766F4F5B54BF3C6,SHA256=25639FE5DCECB96666D0B947CD0A690583955FDCF972EA8E0C5307A32132FDAF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000078772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:43.684{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local49452-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x800000000000000078771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:43.684{45AAC21C-ED18-63D0-2700-00000000BA02}2576C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local49452-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 23542300x800000000000000078783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:46.866{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87E18DF8EF52EF7A77835A8A47279E7F,SHA256=0A9DE8B42E44FB434AABC7C4F835095E0ED485B31B016AC5434779962F196E2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:46.440{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74AA6302DCE352146695011FBF423F19,SHA256=ADE86DF613C2780A005615F759175399792F8B72AF38022524E7B2392E38436F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:46.480{45AAC21C-FD92-63D0-BB03-00000000BA02}81881716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:46.248{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FD92-63D0-BB03-00000000BA02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:46.248{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:46.248{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:46.248{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:46.248{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:46.248{45AAC21C-ED08-63D0-0500-00000000BA02}420436C:\Windows\system32\csrss.exe{45AAC21C-FD92-63D0-BB03-00000000BA02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000078775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:46.248{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FD92-63D0-BB03-00000000BA02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000078774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:46.249{45AAC21C-FD92-63D0-BB03-00000000BA02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000078801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:47.987{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A963A56BB253DF6E367F8BAA1DE78E5,SHA256=0044A2278ED43BF51ABC6B5CE3C563E869D4C9962094860F9A3B307FDF1C4336,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:47.950{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FD93-63D0-BD03-00000000BA02}7212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:47.950{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:47.950{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:47.950{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:47.950{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:47.950{45AAC21C-ED08-63D0-0500-00000000BA02}420780C:\Windows\system32\csrss.exe{45AAC21C-FD93-63D0-BD03-00000000BA02}7212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000078794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:47.950{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FD93-63D0-BD03-00000000BA02}7212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000078793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:47.951{45AAC21C-FD93-63D0-BD03-00000000BA02}7212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000035981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:44.108{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50541-false10.0.1.12-8000- 23542300x800000000000000035980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:47.541{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D35FFF33E4EA5CECD638AD20348B2B01,SHA256=1A9FAE077B2C510E19399269AE380B3901329ADD2AA4BCBFA6ED25F10F834DC5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:47.465{45AAC21C-FD93-63D0-BC03-00000000BA02}79724472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:47.280{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FD93-63D0-BC03-00000000BA02}7972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:47.280{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:47.280{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:47.280{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:47.280{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:47.280{45AAC21C-ED08-63D0-0500-00000000BA02}420536C:\Windows\system32\csrss.exe{45AAC21C-FD93-63D0-BC03-00000000BA02}7972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000078785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:47.280{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FD93-63D0-BC03-00000000BA02}7972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000078784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:47.281{45AAC21C-FD93-63D0-BC03-00000000BA02}7972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000078810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:48.984{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37F486A95115AF8D461A775CB5C368FB,SHA256=25548A5A49E640FC5A381A14BC9C93405E173D23E0D83E36DBD1DA8FC4E6DFAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:48.654{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4151EDB19B7AD8CD3580BF81BB9306C7,SHA256=041754A3BA62C404E8D8594F7679AA0707D31F7F57EE7BD81142358A60DBD14D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:48.199{45AAC21C-FD93-63D0-BD03-00000000BA02}72127908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:48.078{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FD93-63D0-BD03-00000000BA02}7212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:48.078{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FD93-63D0-BD03-00000000BA02}7212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:48.078{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FD93-63D0-BD03-00000000BA02}7212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:48.078{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FD93-63D0-BD03-00000000BA02}7212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:48.043{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FD93-63D0-BD03-00000000BA02}7212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000078803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:48.043{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FD93-63D0-BD03-00000000BA02}7212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000078802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:48.043{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FD93-63D0-BD03-00000000BA02}7212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 23542300x800000000000000035983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:49.772{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2055F4E9C110E6EACEE3C6369A259153,SHA256=F5AB1B6FDCC052894F62A1FD4AB9C52BBBC7123CC37F3AB13B8CAD0612BE352B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:49.867{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FD95-63D0-BE03-00000000BA02}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:49.867{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:49.867{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:49.867{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:49.867{45AAC21C-ED0A-63D0-0C00-00000000BA02}8481928C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:49.867{45AAC21C-ED08-63D0-0500-00000000BA02}420536C:\Windows\system32\csrss.exe{45AAC21C-FD95-63D0-BE03-00000000BA02}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000078814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:49.867{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FD95-63D0-BE03-00000000BA02}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000078813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:49.868{45AAC21C-FD95-63D0-BE03-00000000BA02}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000078812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:46.867{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49453-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000078811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:49.060{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A033601BA2D5F1B1AB318ABA7286A3E,SHA256=CFF42F3A2500C3E226741192ABD4DF39D15987F6464BEB25D77BED64E9B2E9C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:50.871{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97F16855E27A94350C7D7A8B4C0EDD0B,SHA256=C46A4E40AEA7756D097772A001DAFC7348E7C2B1E3A7FBE6193E67E7ACD9ADEE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:50.071{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FD95-63D0-BE03-00000000BA02}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:50.070{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FD95-63D0-BE03-00000000BA02}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:50.070{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FD95-63D0-BE03-00000000BA02}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:50.069{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FD95-63D0-BE03-00000000BA02}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000078825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:50.040{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=F9717231D64E967DB2E56AC540815E4E,SHA256=EE00C3C135B3FF99696BDA6E493E2473971CBF3A46BFC4FD9F787C77D6E5934C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:50.036{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FD95-63D0-BE03-00000000BA02}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000078823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:50.036{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FD95-63D0-BE03-00000000BA02}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000078822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:50.036{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FD95-63D0-BE03-00000000BA02}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 23542300x800000000000000078821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:50.025{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E80197BBACCF7F267EE64B7BA29349A,SHA256=0C1E78E67502399C96DC376594666A38DFC7F4982FF76A7B5369973DDB3C594E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:51.994{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49D6F46BD5EA14DF104F3BDA46C0845C,SHA256=3D4C7DC64FB4CBE8156240592C9376A1603EA20CE4DE3DD019798E58EFB5D805,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:51.102{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9787129ABAEF8B6BF69FC0F35892F4B8,SHA256=90B0A6DE3229EF55082D466CF8577ED49F516057C8FECACA03F7635A125C9338,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:52.239{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CC60602590140859D0B04BB4F833064,SHA256=5533F270AB9F592BFCABA22705F570B953A7D024D3715E802B937A578D9BD24A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:49.939{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50542-false10.0.1.12-8000- 23542300x800000000000000078832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:53.355{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CC32BD2BFF76C8171E2F894D1805FAA,SHA256=9F05B1E8A37ECD8D82C8C5AA5DC25ACA5DD0FC6FE757E2509ECF67BE07CE60E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:53.084{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=185E005F6B432E56F528623C97A0C7F1,SHA256=D119E97BE486094CFF38C0164B16223F464412F9B4A4C3A98E157CC56AD01D01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:54.455{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73D9B3AB9353ED5D5C34615C0E437742,SHA256=2EA98CC25D13DD71B23963008D0A461AD2AFC3943A0B286F474E35ABD1437DEB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000078833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:52.753{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49454-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000035988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:54.188{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EF0D727B9106B909B0439BEF083D533,SHA256=4428D0FBA4D0DD443E3F5B2D0890D8378684AAA3B390CD22B676D40ACDEE2CA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:55.440{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AF544F8D20BDA6E9C5B0036E12CD5D3,SHA256=03C4578E28C19FD0C377FD7F41F1C3A78D7368CFF2E7FF4A52A53234416C490A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:55.295{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E76CFD513DA534221B8CF9556D81FE6,SHA256=60B348A84C7C3B9C1BA7F79A134C2E9C157A713D6F8DA2C0E92A935061766150,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:56.556{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5368CDE716A4647ED182431793F2A20,SHA256=CF2D4240192C0A9366360552A6179B7B866412FA07B5AA18243165AF2E007B37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:56.379{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=328D5DFEC42790796FE25A4E51BC9BB2,SHA256=D9E7FDD0ED1997B70DC00675DBC417794304956679C49A71DBCF26D5B7FB722C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:57.572{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14B3A4B61160282E6100376C3BA46571,SHA256=6F93CC2C197EBED728B0474CC03881C51ACADEA9F5039B3C82461880F18DF81F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:55.086{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50543-false10.0.1.12-8000- 23542300x800000000000000035992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:57.761{72106695-ED09-63D0-2000-00000000BB02}2008NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=598A92F6A72ACC8DB59738A649AF636F,SHA256=51C70AE40EB912D09482E895FA9B86391844F52090B34E9F8A53E58ECEBFC380,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:57.475{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1D182D8AB695F0028AC40F421421E78,SHA256=44DBC37DB67D0B5DA0D498DD90569B8720BCF4B7C8238B926F4BB2488CE32145,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:58.661{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=398F959C2D104EC2ECE8A94B3AFFA389,SHA256=ACF3EA62C0705981B81D6001A28747D6BFD8D6642C0E2333FA631FBDBA7889E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:58.578{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6628F002EC25D80FF4FC554D8C909286,SHA256=4A4D8777D18CBE9D7C6A064B0CC3D906869F05A04C2C75FE9C0A5540194E3B75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:59.791{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF925486E7DCCF9576F667BB183B02CC,SHA256=3D5E3B6E4AE36F3EB5E7639E45DE0B6A8FC1C3E1C8D5532695C0791A911BE952,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 09:59:59.676{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93453E8CEAC92C2B4E3A3531DAC85A14,SHA256=FFA69D683C45FB007ABE65C62B0CC49AC026EDB750A901A9299D02AFE0F18083,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:00.989{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1100-00000000BA02}704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:00.944{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1000-00000000BA02}444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:00.924{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0F00-00000000BA02}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:00.911{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0E00-00000000BA02}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 23542300x800000000000000078845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:00.904{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A26DCA46A40C580068DFBC49511A0D92,SHA256=EC6079E3709CB838854B5CD9C805B1341D30EE22728D488B1A5B62045E6381A6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:00.896{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0D00-00000000BA02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:00.879{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0C00-00000000BA02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:00.816{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:00.813{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0900-00000000BA02}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000036017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:00.998{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2200-00000000BB02}1172C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:00.994{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:00.986{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:00.984{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1C00-00000000BB02}1892C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:00.982{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1A00-00000000BB02}1856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:00.974{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1800-00000000BB02}1732C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:00.971{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1700-00000000BB02}1240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:00.959{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1600-00000000BB02}1192C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:00.941{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1500-00000000BB02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:00.934{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1400-00000000BB02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:00.928{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1300-00000000BB02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:00.922{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1200-00000000BB02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:00.916{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1100-00000000BB02}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:00.912{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1000-00000000BB02}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:00.908{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0F00-00000000BB02}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:00.901{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0E00-00000000BB02}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:00.895{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0D00-00000000BB02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:00.888{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000035999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:00.881{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0B00-00000000BB02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000035998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:00.878{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0900-00000000BB02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 23542300x800000000000000035997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:00.775{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78A1F7D031581CCFDF469AF06FF14FEC,SHA256=661684BC919B2B32DE2E12A24E2CE2B45757FB47BFF3ABDB0AC5FA5BD83C3CB6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000078840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 09:59:57.862{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49455-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000035996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:00.508{72106695-ED09-63D0-1C00-00000000BB02}1892NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\respondent-20230125084915-068MD5=4A845FE96E1CB901D2D7264E475C5D0A,SHA256=805658FE4E43678F2368D193C16F752D5AE58460E17C63B3F32526AFB5DF27A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:01.913{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=505CF455802BA305D8C3A7CA03BBE8C7,SHA256=B4E8FD31D919274F165A49E95192D4F9805EF260D410DB148E5F64F43B30D01F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:01.972{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13E76EC2773FF8BC25E6259D83B740E2,SHA256=75C557B0C5F4F35EEF66DE10867AC0B4B2198CE1A78A078A652C6A3F33518FEA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:01.748{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2E00-00000000BA02}2692C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:01.739{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:01.731{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2B00-00000000BA02}2664C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:01.097{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:01.088{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:01.076{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:01.067{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2700-00000000BA02}2576C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:01.065{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2600-00000000BA02}2568C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:01.056{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2500-00000000BA02}2484C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:01.053{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED14-63D0-2300-00000000BA02}2340C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:01.051{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1800-00000000BA02}1992C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:01.049{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1700-00000000BA02}1492C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:01.039{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1600-00000000BA02}1324C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:01.025{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1500-00000000BA02}1152C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:01.019{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1400-00000000BA02}344C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:01.010{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1300-00000000BA02}364C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:01.000{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1200-00000000BA02}408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 23542300x800000000000000036027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:01.516{72106695-ED09-63D0-1C00-00000000BB02}1892NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\surveyor-20230125084913-069MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:01.020{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FB5F-63D0-3102-00000000BB02}3068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:01.011{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED83-63D0-8200-00000000BB02}508C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:01.009{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED1B-63D0-6D00-00000000BB02}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:01.007{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:01.007{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-4000-00000000BB02}1980C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:01.004{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-3C00-00000000BB02}2964C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:01.003{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2B00-00000000BB02}2876C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:01.002{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2600-00000000BB02}2596C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:01.000{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2500-00000000BB02}2436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000078871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:03.788{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3300-00000000BA02}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:03.785{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3100-00000000BA02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:03.782{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2F00-00000000BA02}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 23542300x800000000000000078868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:03.030{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=890FAB7D7644F8DED2DD0C14464F3953,SHA256=8127DFB4DEAA5C5F7C5D11E49A1E933AB976EF9D001852A4F7ECC8FD6A20254E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:03.063{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A237FEE5586F45DCF762345FA1F9B30,SHA256=C44072AF535EB87274F54766A5446C6091034E2799019EFAE484F235FD4FFB2B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:04.596{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99E-63D0-4403-00000000BA02}4716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:04.592{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4303-00000000BA02}220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:04.589{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4203-00000000BA02}8108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:04.585{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99C-63D0-4103-00000000BA02}4940C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:04.582{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F998-63D0-3F03-00000000BA02}6856C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:04.580{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F993-63D0-3A03-00000000BA02}5848C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:04.576{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F990-63D0-3703-00000000BA02}5072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:04.573{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F990-63D0-3603-00000000BA02}7836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:04.568{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3403-00000000BA02}8152C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:04.565{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3303-00000000BA02}5868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:04.563{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3203-00000000BA02}1380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:04.553{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3103-00000000BA02}7700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:04.523{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:04.499{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:04.497{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A202-00000000BA02}5720C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:04.495{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A102-00000000BA02}7492C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:04.490{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F3FF-63D0-5202-00000000BA02}7716C:\Program Files\Process Hacker 2\ProcessHacker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:04.486{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED93-63D0-C200-00000000BA02}5684C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:04.442{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:04.424{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:04.380{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:04.363{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-8E00-00000000BA02}432C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:04.336{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4D-63D0-8900-00000000BA02}4888C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:04.325{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED36-63D0-8100-00000000BA02}4176C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:04.318{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED35-63D0-7F00-00000000BA02}3432C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:04.311{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED2C-63D0-7B00-00000000BA02}532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:04.306{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:04.305{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1B-63D0-4500-00000000BA02}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:04.301{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-4100-00000000BA02}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000078873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:04.299{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-3800-00000000BA02}3276C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 23542300x800000000000000078872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:04.133{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DC3F3686C5D7BB2B9FE08602CC61513,SHA256=913474B2B6E1CC4751FA661F9EDA7792B80E24F65B6EF9A7B4608C6C3B67CE95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:04.159{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=595F496D11C9D38EFB075AAA444D726A,SHA256=6A3237D9FCF02CD94A20F312644B810E7AF7FE2A4167A41C077A30FE5665BB16,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:00.992{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50544-false10.0.1.12-8000- 23542300x800000000000000078903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:05.615{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7479870B278AF4CA5C01A931235E5A6C,SHA256=591D9168106199A93E16FD3548A7A97E6A05CB40AB2484E438209A49A34019E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:05.260{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8E3C50AF9B626AA38C011AC2AC374F9,SHA256=DB6354A197F56FDAD33821A2402577AE2AB400C25CB495B5A52CD3E42F4A2F7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:06.705{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0262673C1F30E6120C383934C581DD3,SHA256=87F08225EC816B1B20C46F1ADC6515E98AAA8DAF46638C5D204C5D4D39529251,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:06.346{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ACB70BA09FF06C5DA3E361CA15DFD25,SHA256=8F8B6FA8F6DC5D65A78F0C584898E12D2865C7D1CF5DBFADA77E2FBCF7908CEA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000078909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:03.734{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49456-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 13241300x800000000000000078908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-25 10:00:06.352{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\90005E51-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_90005E51-0000-0000-0000-100000000000.XML 13241300x800000000000000078907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-25 10:00:06.352{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\3043171C-3022-4C0A-A8DB-5CE9390B74BF\Config SourceDWORD (0x00000001) 13241300x800000000000000078906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-25 10:00:06.352{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\3043171C-3022-4C0A-A8DB-5CE9390B74BF\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_3043171C-3022-4C0A-A8DB-5CE9390B74BF.XML 10341000x800000000000000078905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:06.331{45AAC21C-ED08-63D0-0B00-00000000BA02}6367276C:\Windows\system32\lsass.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:06.331{45AAC21C-ED08-63D0-0B00-00000000BA02}6367276C:\Windows\system32\lsass.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000078914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:07.799{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B245467D738C72745C8743035458362,SHA256=52D9031CA1196C290140D6A9DCE071CF53AC00DAEF48A3D1AB1558931284669F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:07.424{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96C81C4A3AAAE0FB2008C2DF019FAEBD,SHA256=2CAA11225FA744AF8127CB8E399B7D3C2FBE7CE5956DB5B16CABE06C2D469302,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:07.190{45AAC21C-ED08-63D0-0B00-00000000BA02}6367276C:\Windows\system32\lsass.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:07.190{45AAC21C-ED08-63D0-0B00-00000000BA02}6367276C:\Windows\system32\lsass.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:07.190{45AAC21C-ED08-63D0-0B00-00000000BA02}6367276C:\Windows\system32\lsass.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000078925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:08.869{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8D15FC1721834B2A35F715AEFED995B,SHA256=5492DF3ECA332978A5E034D01B7DFAD2F5FDD690CA6CC68C4BFA2A03180E17BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:08.527{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FA92F97FFF42F67330A43EC77638F25,SHA256=42E4E43A001FEE18E14A986659051C86A25B211AEFD35AA048FC73358A8FD9A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000078924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:06.823{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49458-false10.0.1.14win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x800000000000000078923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:06.823{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49458-false10.0.1.14win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x800000000000000078922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:05.968{45AAC21C-ED0A-63D0-0D00-00000000BA02}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local49457-truefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local135epmap 354300x800000000000000078921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:05.968{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local49457-truefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local135epmap 23542300x800000000000000078920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:08.284{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B3E5744A463A18E7C8432AE9D0502D1B,SHA256=2F40DB08393823FAEBDD4D0D129304B71A425BFFDF744BBFE4ABEE9DC1A8B0C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:08.206{45AAC21C-ED08-63D0-0B00-00000000BA02}636812C:\Windows\system32\lsass.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:08.206{45AAC21C-ED08-63D0-0B00-00000000BA02}636812C:\Windows\system32\lsass.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:08.037{45AAC21C-ED08-63D0-0B00-00000000BA02}6367276C:\Windows\system32\lsass.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:08.032{45AAC21C-ED08-63D0-0B00-00000000BA02}6367276C:\Windows\system32\lsass.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:08.032{45AAC21C-ED08-63D0-0B00-00000000BA02}6367276C:\Windows\system32\lsass.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000078928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:09.970{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EBCA0F9D4F47208856E4684CAF1FEF6,SHA256=18C67E29E8A6A4EF6CADC083410FCF8EA0446B5747E959A018043A6A5F831DE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:09.625{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=094A94774CD39FB921D72A509050D03F,SHA256=24D0B5D5D7F1D81134FEEAFF8CA830127BF1EB76A6E7AD03E9AB8396B51AB1A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000078927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:07.666{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49459-false10.0.1.14win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x800000000000000078926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:07.666{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49459-false10.0.1.14win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x800000000000000036036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:06.117{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50545-false10.0.1.12-8000- 23542300x800000000000000036038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:10.729{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E09F3E57BDED3F1215672960541ABEF0,SHA256=386770E19BCC13B87B2363C068771C802ACFB4D42C87BD05C99B744049F5A90B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:11.833{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89AFDB372904954C09EF4EA3E1B93FB8,SHA256=1180910454CA6F55B3A68C15691F10FC2148E1FA5A2453CB42254B24049EF4AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000078930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:09.668{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49460-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000078929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:11.070{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40DF4C12B4AD6E9DA166C22432DAA388,SHA256=0DF7CE03FF83B88C84A25EF16F7CD15ABC23DF7FB9EE86A67A42F3DD77DB3764,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:12.924{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3014E97F75D179FBEF6CC58EAF129486,SHA256=97FF0C9E082DDDEEA8A296B4791E0F1C78BA6DFB863423132E9308D8BFCDD916,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:12.141{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A32531042E1B9E50065CA13C1DACB894,SHA256=A48961795C5D68CEF949A45F9BA4EEAAE729B8176745B0A2BA9DFB356499603A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:13.253{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4F6FA4E3AE7D28077C092550A887567,SHA256=3742BA5F36C37A9DF570B9CF10E16B0EE42D7F536B2BB02BC6396E52C9457975,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:14.400{45AAC21C-ED18-63D0-2C00-00000000BA02}2672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=D077C9E9E29A83DFE47A01ED6858266A,SHA256=82BA50B263CBDE9D6DAF8FC71A6FE5099C69CF5555683B072322DC543FF377DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:14.318{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07A5D26A45FD5549D0EE802840017004,SHA256=0D95838C9A1F96E80C7AD4FE2E4E6687FC5AF8D67681351207ED802E883A8E9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:14.644{72106695-ED08-63D0-1100-00000000BB02}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E756B404B3F4C77F93AA353839CB0D3E,SHA256=347545F0E08545C54E8878E7886805F8E72DA7215D4C310CFAAD7D375940F169,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:12.024{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50546-false10.0.1.12-8000- 23542300x800000000000000036041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:14.025{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B806C17DA9D60DEE95711442252DB1C4,SHA256=E57924A2D5EC8ED195B22E01469186A1580897DDF6E1D9A38F61CD31145AAF44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:15.938{45AAC21C-ED0A-63D0-1100-00000000BA02}704NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D202DD01C7EC1B299673BFBE1A8ABF4F,SHA256=2A11808F17C1BB811081C3CD1285BD3B82A3D41D12D536D4F3D77C5984965980,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:15.418{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=085DB97C2D0A6DF2C4F500C4359B704F,SHA256=3708753360D85D94934F3804FEBD58B4E80DF22611895D988B189B447AB16340,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:15.129{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C7B9E042208C8B397581CA37FB778B1,SHA256=2D86D71B35686EAE6D4DAAEDEA4A42B2D6757559E32376B847322E2BC1C6FF4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:15.258{45AAC21C-ED18-63D0-2F00-00000000BA02}2700NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\respondent-20230125084931-068MD5=FB1204BD5E1FCB9F00F3D30191CDD410,SHA256=AD3DE377B45C073DC7811942D8C17D2EDF88FCE93F4C4FD49345F5808DA79585,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000078940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:14.787{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49461-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000078939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:16.486{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=543EC0E26180DA9459FEE9BCE4AE4C33,SHA256=48CB4D235263630EB868C9F40102B21FA864A22C54FADE0A6DEC39EE756B6767,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:16.210{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90D45AE880AF324D4099B7F9757481A3,SHA256=A5522A8CC84D2670BE0CCA1E0C30C3A82024BAE0AB9F2BD75054A05C6DBC8277,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:16.262{45AAC21C-ED18-63D0-2F00-00000000BA02}2700NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\surveyor-20230125084929-069MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:17.556{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCB5233B61637D32A5D42695776C9776,SHA256=34B7ECAE20682F003317484198DE68F843208B7931B80A0E14A6363F94935FEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:17.286{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4B57804FE42CD2CBB165A4D91CAAA84,SHA256=357850936B3AFAB904CED056333ACCAFFD5EE3289497AEE37128E30B3ACCF277,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:18.622{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9F698C8A49481BA27755713B7349C8C,SHA256=819508D6D1ED5C11B2C04B67A1A843398349F0F34DEE97C4C2B4EC91FD1566D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:18.384{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C16BC11D0915EAC65A98AB27E388064F,SHA256=70250617C7D908C0E43924A87D8E5652488DF53E0CD0DD8D8414AD01B96C6559,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:18.504{45AAC21C-ED18-63D0-2C00-00000000BA02}2672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:19.722{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59FE5FC0B1262C91D197EC2FA9085E0A,SHA256=B466257BC763CBBA8D5692E2B81BB19FBBD6BB2C84870CD4AB44606711270B4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:19.481{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BECC777BCA0323A5FA560CF2BB481F3,SHA256=3FBB2F8CB939CABD3364FC362B4653F4B2784136B408EB146383527570FF9D6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:20.992{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1300-00000000BA02}364C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:20.978{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1200-00000000BA02}408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:20.966{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1100-00000000BA02}704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:20.926{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1000-00000000BA02}444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:20.905{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0F00-00000000BA02}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:20.894{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0E00-00000000BA02}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:20.876{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0D00-00000000BA02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:20.866{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0C00-00000000BA02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:20.810{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:20.806{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0900-00000000BA02}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 23542300x800000000000000078946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:20.738{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=644D65C32AB75833B58B3A54726CDE4D,SHA256=7AFF8277E0481CCEE779BE24C00133A96CC7E6361695CB1BCCE71F61F95282E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:20.998{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000036067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:20.983{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000036066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:20.982{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1C00-00000000BB02}1892C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000036065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:20.980{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1A00-00000000BB02}1856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000036064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:20.970{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1800-00000000BB02}1732C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000036063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:20.963{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1700-00000000BB02}1240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000036062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:20.953{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1600-00000000BB02}1192C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000036061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:20.932{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1500-00000000BB02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000036060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:20.923{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1400-00000000BB02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000036059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:20.917{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1300-00000000BB02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000036058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:20.908{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1200-00000000BB02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000036057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:20.901{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1100-00000000BB02}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000036056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:20.893{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1000-00000000BB02}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000036055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:20.889{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0F00-00000000BB02}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000036054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:20.887{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0E00-00000000BB02}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000036053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:20.885{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0D00-00000000BB02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000036052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:20.883{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000036051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:20.881{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0B00-00000000BB02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000036050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:20.880{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0900-00000000BB02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 23542300x800000000000000036049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:20.569{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8B07750FB15A0474A2E814F0A3B1F9F,SHA256=0953908653A8087E11DCF7B01AF00A8A902F5E40C016A80C6E4540FA429E9BEE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000078945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:18.122{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49462-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000036080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:21.658{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=489C97A66465F4B99DFA615570F3CE75,SHA256=CF0B176F1E0E4C58928630F30866977EFB4CEB8F4BB2E5DFE323776E01435E89,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:21.831{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2E00-00000000BA02}2692C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:21.826{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:21.821{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2B00-00000000BA02}2664C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 23542300x800000000000000078969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:21.763{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D8BC00CC7229DD63F689C5F96C83B82,SHA256=A43EE4B498FF62139724DDF18C4B8DBF9D38C49314F07909B8EBD1DDB5A71EB0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000078968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:21.154{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:21.142{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:21.129{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:21.099{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2700-00000000BA02}2576C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:21.093{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2600-00000000BA02}2568C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:21.074{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2500-00000000BA02}2484C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:21.054{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED14-63D0-2300-00000000BA02}2340C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:21.052{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1800-00000000BA02}1992C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:21.049{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1700-00000000BA02}1492C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:21.039{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1600-00000000BA02}1324C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:21.013{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1500-00000000BA02}1152C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:21.004{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1400-00000000BA02}344C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 354300x800000000000000036079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:17.931{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50547-false10.0.1.12-8000- 10341000x800000000000000036078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:21.016{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FB5F-63D0-3102-00000000BB02}3068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000036077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:21.013{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED83-63D0-8200-00000000BB02}508C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000036076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:21.011{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED1B-63D0-6D00-00000000BB02}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000036075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:21.010{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000036074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:21.009{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-4000-00000000BB02}1980C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000036073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:21.007{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-3C00-00000000BB02}2964C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000036072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:21.006{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2B00-00000000BB02}2876C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000036071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:21.005{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2600-00000000BB02}2596C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000036070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:21.003{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2500-00000000BB02}2436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000036069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:21.001{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2200-00000000BB02}1172C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 23542300x800000000000000036081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:22.744{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=513C5102B8ACC832796F700ADCEF6FF7,SHA256=94A686EAABCE786EDF13E1CDE58CC3665B73D21AE7FA4343980E9A1C28589B13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:22.866{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E4E974851B3D168D77C24970EB4D1A9,SHA256=B13B7D45936FCD1E81ED431FE32901F0DC346BB41F2703FD79DB68C8DC7DF5C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000078973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:20.658{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49463-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000036083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:23.832{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFD6E1CA4C9A1876E61F9C90CB61FE0B,SHA256=781709626E7DBBFB46D1C9757F8BD34C8A6A490F2A8EF7BD5AED8B3CBDB00C73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000078978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:23.976{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFB2810E5A5832C8E944FD679659CCA7,SHA256=B4100344984D08D1B8E70968CA48FE1BD03C13BBCFE398840497ECFA9DDA279E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:23.218{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1F00-00000000BB02}2000C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000078977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:23.868{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3300-00000000BA02}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:23.864{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3100-00000000BA02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:23.860{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2F00-00000000BA02}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 23542300x800000000000000036084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:24.929{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=701420E634F1259F20D5B73E6C9F9105,SHA256=3A63CA6961F8E3237146413FE5C325822C20769DD7294AEED21CF7AF1ACC1076,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:24.995{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-ED0A-63D0-1000-00000000BA02}444C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:24.684{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99E-63D0-4403-00000000BA02}4716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000079007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:24.677{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4303-00000000BA02}220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000079006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:24.671{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4203-00000000BA02}8108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000079005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:24.661{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99C-63D0-4103-00000000BA02}4940C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000079004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:24.656{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F998-63D0-3F03-00000000BA02}6856C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000079003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:24.653{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F993-63D0-3A03-00000000BA02}5848C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000079002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:24.641{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F990-63D0-3703-00000000BA02}5072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000079001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:24.638{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F990-63D0-3603-00000000BA02}7836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000079000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:24.633{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3403-00000000BA02}8152C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:24.630{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3303-00000000BA02}5868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:24.625{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3203-00000000BA02}1380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:24.611{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3103-00000000BA02}7700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:24.579{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:24.555{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:24.550{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A202-00000000BA02}5720C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:24.549{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A102-00000000BA02}7492C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:24.544{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F3FF-63D0-5202-00000000BA02}7716C:\Program Files\Process Hacker 2\ProcessHacker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:24.542{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED93-63D0-C200-00000000BA02}5684C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:24.507{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:24.485{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:24.451{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:24.439{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-8E00-00000000BA02}432C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:24.411{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4D-63D0-8900-00000000BA02}4888C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:24.398{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED36-63D0-8100-00000000BA02}4176C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:24.396{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED35-63D0-7F00-00000000BA02}3432C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:24.387{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED2C-63D0-7B00-00000000BA02}532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:24.384{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:24.382{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1B-63D0-4500-00000000BA02}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:24.379{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-4100-00000000BA02}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000078979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:24.378{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-3800-00000000BA02}3276C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 354300x800000000000000036085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:23.002{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50548-false10.0.1.12-8000- 23542300x800000000000000079012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:25.396{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FD697C1DA3F7D9112EA20EC9F4C9D84,SHA256=4B92DDE03BDEFAF02EC60D30BCB3AFD21A3C43AFB9E12C35A27ABCBFBCB1E92C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:25.111{45AAC21C-ED08-63D0-0B00-00000000BA02}636812C:\Windows\system32\lsass.exe{45AAC21C-ED06-63D0-0100-00000000BA02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97b62|C:\Windows\system32\kerberos.DLL+79e38|C:\Windows\system32\kerberos.DLL+144ff|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+2d8f6|C:\Windows\system32\lsasrv.dll+33189|C:\Windows\system32\lsasrv.dll+30ad7|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+17a7d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000079010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:25.011{45AAC21C-ED08-63D0-0B00-00000000BA02}636812C:\Windows\system32\lsass.exe{45AAC21C-ED0A-63D0-1000-00000000BA02}444C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000079020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:24.749{45AAC21C-ED06-63D0-0100-00000000BA02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local49466-truefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local445microsoft-ds 354300x800000000000000079019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:24.749{45AAC21C-ED06-63D0-0100-00000000BA02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local49466-truefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local445microsoft-ds 354300x800000000000000079018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:24.659{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49465-false10.0.1.14win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x800000000000000079017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:24.659{45AAC21C-ED0A-63D0-1000-00000000BA02}444C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49465-false10.0.1.14win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x800000000000000079016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:24.643{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local49464-truefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x800000000000000079015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:24.633{45AAC21C-ED0A-63D0-1000-00000000BA02}444C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local49464-truefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local389ldap 23542300x800000000000000079014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:26.050{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B55704E2A1C1FCC7F1F89CA2F67E48D2,SHA256=7D5AE5630C54DC019BB783B4C013247B27F0D3FF7837319A6FD0A149D0CF700B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:26.030{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8A8C6D0044A413A7AC80766E4C5504D,SHA256=428D922A79E08BEB3C3DC7E49A223E74C959114727EB2F3AAE169038514FAE27,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:26.503{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FDBA-63D0-7802-00000000BB02}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:26.503{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:26.503{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:26.503{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:26.503{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:26.503{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:26.503{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:26.503{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:26.503{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:26.503{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:26.503{72106695-ED07-63D0-0500-00000000BB02}408424C:\Windows\system32\csrss.exe{72106695-FDBA-63D0-7802-00000000BB02}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:26.503{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FDBA-63D0-7802-00000000BB02}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:26.504{72106695-FDBA-63D0-7802-00000000BB02}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:26.265{72106695-ED09-63D0-2000-00000000BB02}2008NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:26.015{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56077B37B2C757F0DCC502B777D7AA0C,SHA256=587C4466DD1491FCEC31E9332E6E8C20600B2EBD2370AFDD3A243E480EF362A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000079022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:25.779{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49467-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000079021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:27.150{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2B56C723FA3ADFE947D05E79CAFCD0B,SHA256=31CE829EAAA14788692A089AAD810FFC38C4833D2C0E021490586FDC0C7ECCEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:27.959{72106695-ED09-63D0-2000-00000000BB02}2008NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=915C6F2971852E1CBBBB96466C11F424,SHA256=01962796EF0E1EAF0EC6C731C70FDF7CD3AF332FF7A129114BA3DF30E7A9536B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:27.928{72106695-FDBB-63D0-7A02-00000000BB02}40401824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:27.756{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FDBB-63D0-7A02-00000000BB02}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:27.756{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:27.756{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:27.756{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:27.756{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:27.756{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:27.756{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:27.756{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:27.756{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:27.756{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:27.756{72106695-ED07-63D0-0500-00000000BB02}408524C:\Windows\system32\csrss.exe{72106695-FDBB-63D0-7A02-00000000BB02}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:27.756{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FDBB-63D0-7A02-00000000BB02}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:27.757{72106695-FDBB-63D0-7A02-00000000BB02}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:27.631{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC98C076A4441C4F115F3BC1BE1D4895,SHA256=8FEB40F1F592A70703746963290A5C80FDED0EEBD4DE82C03F9E2D050F7105D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:25.146{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50549-false10.0.1.12-8089- 10341000x800000000000000036115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:27.142{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FDBB-63D0-7902-00000000BB02}924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:27.142{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:27.142{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:27.142{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:27.142{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:27.142{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:27.142{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:27.142{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:27.142{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:27.142{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:27.142{72106695-ED07-63D0-0500-00000000BB02}408524C:\Windows\system32\csrss.exe{72106695-FDBB-63D0-7902-00000000BB02}924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:27.142{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FDBB-63D0-7902-00000000BB02}924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:27.143{72106695-FDBB-63D0-7902-00000000BB02}924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:27.095{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6543E17A7EFCC95806655F527A27F70C,SHA256=4AB3DEFBAB2ED8ADCEABDE8D98D7C4EB5E2225BC6B45CE8FF47A5545855610AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:27.075{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=DE08D2B5607AFC905876C6F1631BC94B,SHA256=1562DA99035155FC4001E6A1AC26F65838D9B6F56A9A76DB40893F92134FF980,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:28.213{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=764362588A9F8CDBA7B6E66B130E64B6,SHA256=48A2F6C4E5FAA9C704CAE10D86E978F22DD53A30C2440222C4113AE1696EE7F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:28.986{72106695-FDBC-63D0-7B02-00000000BB02}24081324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:28.844{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FDBC-63D0-7B02-00000000BB02}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:28.844{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:28.844{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:28.844{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:28.844{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:28.844{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:28.844{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:28.844{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:28.844{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:28.844{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:28.844{72106695-ED07-63D0-0500-00000000BB02}4082644C:\Windows\system32\csrss.exe{72106695-FDBC-63D0-7B02-00000000BB02}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:28.844{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FDBC-63D0-7B02-00000000BB02}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:28.845{72106695-FDBC-63D0-7B02-00000000BB02}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:28.226{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE82B75EBCE1E0CE169F2C391734DB9E,SHA256=39874A03F371161E93D9AA2F507F594434090A810E3003203931FFBF9FF854AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:29.298{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=787F5A12F2C00C117A87400C3DD9106F,SHA256=48324337DE63F0B70577ECE88932E7DDB0190F8FEF3ED5BA6BDD10987E63F063,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:29.292{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F97B9D2958DCE5CBE801A222C29DF36A,SHA256=F7FC38BB089A992A20B5CECC90A41CF6E3ECAE3F7D773E4023DDE2454F1F8595,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:30.584{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ilosieif.default-release\datareporting\aborted-session-pingMD5=51BD72C6B6F5F6FF0FA569A59E2E93FE,SHA256=902941D88E4E5547989F5C092F038DA4DB03BBF4313D862D439F3C67D4D879B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:30.399{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC17B05F6B049C3638216EE5845B2687,SHA256=5620F8EB468A184324513CEE32F2CE1E41263E00582EBCD1536FFD0B83F3926A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:30.827{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FDBE-63D0-7D02-00000000BB02}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:30.827{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:30.827{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:30.827{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:30.827{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:30.827{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:30.827{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:30.827{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:30.827{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:30.827{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:30.827{72106695-ED07-63D0-0500-00000000BB02}408524C:\Windows\system32\csrss.exe{72106695-FDBE-63D0-7D02-00000000BB02}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:30.827{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FDBE-63D0-7D02-00000000BB02}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:30.828{72106695-FDBE-63D0-7D02-00000000BB02}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000036164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:28.121{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50550-false10.0.1.12-8000- 23542300x800000000000000036163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:30.395{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A292F3FD80829AEFF17E6A96514701B5,SHA256=7C4CA062A4C5455C8EFA932753111BDC0CF7DB49FF2E659ABC2D71018C2A4194,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:30.316{72106695-FDBE-63D0-7C02-00000000BB02}18403304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:30.160{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FDBE-63D0-7C02-00000000BB02}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:30.160{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:30.160{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:30.160{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:30.160{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:30.160{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:30.160{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:30.160{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:30.160{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:30.160{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:30.160{72106695-ED07-63D0-0500-00000000BB02}4081028C:\Windows\system32\csrss.exe{72106695-FDBE-63D0-7C02-00000000BB02}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:30.160{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FDBE-63D0-7C02-00000000BB02}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:30.161{72106695-FDBE-63D0-7C02-00000000BB02}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:31.366{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57CB81CFDA4D3479F07B66B924016D15,SHA256=AEC483D291C8B9D9D05B44A555ECDC111155F9DF6F6B867E1439CCBF44A48990,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:31.454{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0311381C7BE699D4B03A118231BCF70,SHA256=E559A4BFE034F1D03FA04A1FAAE35EBD6C3EFDD4B9B73BF6A767A1580183EC18,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:31.316{45AAC21C-ED0A-63D0-1500-00000000BA02}11522256C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:31.316{45AAC21C-ED4D-63D0-8A00-00000000BA02}49165260C:\Windows\System32\RuntimeBroker.exe{45AAC21C-ED4E-63D0-8E00-00000000BA02}432C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\TokenBroker.dll+112ea|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+54d13|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6210c|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x800000000000000079027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:31.316{45AAC21C-ED4D-63D0-8A00-00000000BA02}49165260C:\Windows\System32\RuntimeBroker.exe{45AAC21C-ED4E-63D0-8E00-00000000BA02}432C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+11213|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+54d13|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6210c|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x800000000000000036178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:31.015{72106695-FDBE-63D0-7D02-00000000BB02}26482336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:32.895{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FDC0-63D0-7E02-00000000BB02}500C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:32.895{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:32.895{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:32.895{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:32.895{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:32.895{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:32.895{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:32.895{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:32.895{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:32.895{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:32.895{72106695-ED07-63D0-0500-00000000BB02}4082644C:\Windows\system32\csrss.exe{72106695-FDC0-63D0-7E02-00000000BB02}500C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:32.895{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FDC0-63D0-7E02-00000000BB02}500C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:32.896{72106695-FDC0-63D0-7E02-00000000BB02}500C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:32.464{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D615A86890639F7F615F8D70A25B8B1,SHA256=6A9CF3E0212C5E24FCB78EE3DB0911C1933C671341EE2DBE72D888A3821B9146,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000079036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:30.974{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local49470-truefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local49666- 354300x800000000000000079035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:30.974{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local49470-truefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local49666- 354300x800000000000000079034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:30.972{45AAC21C-ED0A-63D0-0D00-00000000BA02}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local49469-truefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local135epmap 354300x800000000000000079033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:30.972{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local49469-truefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local135epmap 354300x800000000000000079032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:30.865{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49468-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000079031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:32.534{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83B5834A533D51349CA1824E03C7EB26,SHA256=91F0599BB30E861BD2278A35AA1A03A1571D606520A1F42E11974D1531765132,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:33.564{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C675F4151018FF38854C0D9163F1E559,SHA256=7FAE66147DDD179F866634096D9171534F80DDD70345332B65D8B4ACB5A1CD32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:33.623{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4470ABC009B8921DECD3DC2FFC9DC0E4,SHA256=83D2333B10C26AF0ECEA83B9200588B011DBBC22BEBCD281AACD9F40A288B798,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:34.645{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9ECC560B46866EDEEFEAA2A3F46BA60,SHA256=54252B45B8600FE7CD18BB616BFEDDC15D65E0AE99C8FEDCFC7963E17F8328C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:34.725{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=027A02B7A24AE5E07B38180D29A9EAA0,SHA256=9772DD5717E1D24DD9C5207203A38614AACDAD97648C2E004242D166AB69E851,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:34.017{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB105E9A3C121ACEF828696CCE8D0DDD,SHA256=A6050E8DF9C408A693F2E1FABD129A42F15B26C85629C78845C972F97684F943,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:35.730{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D2F4E17B2A99A739A8CE23DEF3D1008,SHA256=0C7483891B4EA2D34A4220F1DF5CA289D7C72B7A25A1653E01C8F8948294A921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:35.803{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F68464245150E7B361B59B0AE087D320,SHA256=55EB243F8F94CCF8E41255506E8C8D4038CC9BACB3EA8C74E1926BA9C582C4C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:36.972{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2959C78B85428F3A8B3402029025052E,SHA256=E8AE1D8035F7CC385472CEBBFFF38F64D46076D6276E4B29049D207C3AA4370D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:36.919{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E267E3444CF02ADFEBBCBFE83B8FCF92,SHA256=8D40BCB581B425E6F6E9A72A92AD581E3D76EB9D309ECB74A3FAB1E307EAF9C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:36.832{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70B0D42C4F1540C1AC05C8CB3A826095,SHA256=E74FEE066C2072681C1B930625FE058B6FEAB5134CBC725613DD81E7B9BB2377,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:34.001{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50551-false10.0.1.12-8000- 23542300x800000000000000036200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:37.828{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CADAAEC9E17D7FAB45C25038D8F63CE9,SHA256=7A44B5B53B3235D6EDDFB17D548AB54BA6E19584591BFF4A063012E037CF4B71,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:37.303{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:37.303{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000036201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:38.925{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74501557A3B81A4AF6D2274DE43DCB29,SHA256=B6239D754316F592D5CD65B22783F2D29AAF5BB661A42503924C60AF03F802AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000079045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:36.821{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49471-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000079044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:38.004{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF2AD2D0B50929B13EC64020AFA2590F,SHA256=3EEA3A7C047DC8E4FEECB64447854662B821D7C1BD0C956FC705A99BAB09FE19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:39.088{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43D10833D7BA8D5921DD93FF32452993,SHA256=A82871C0D0164DF6C02CC57F1EB01BA1DFF2397FDC4BFC7911C3DA4FBEE85DB2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:40.990{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1200-00000000BA02}408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:40.979{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1100-00000000BA02}704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:40.936{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1000-00000000BA02}444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:40.921{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0F00-00000000BA02}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:40.913{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0E00-00000000BA02}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:40.900{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0D00-00000000BA02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:40.890{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0C00-00000000BA02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:40.817{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:40.812{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0900-00000000BA02}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 23542300x800000000000000079047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:40.205{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDA857720083010C41951F235A9E57D3,SHA256=9E9A1001BF0B0BAB353F6ADD9D434D64B57F6FD84CCE0148E080B43B70917EDC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:40.969{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1500-00000000BB02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:40.956{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1400-00000000BB02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:40.945{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1300-00000000BB02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:40.939{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1200-00000000BB02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:40.933{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1100-00000000BB02}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:40.926{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1000-00000000BB02}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:40.920{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0F00-00000000BB02}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:40.912{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0E00-00000000BB02}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:40.905{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0D00-00000000BB02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:40.898{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:40.889{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0B00-00000000BB02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:40.886{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0900-00000000BB02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 23542300x800000000000000036202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:40.016{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DCEF064F248E0F63A27830733D3EC50,SHA256=9F672EB3274E9B3C68C2402869C923B3A8FB1EF9BABB759308288BF39A1CA587,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:41.804{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2E00-00000000BA02}2692C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:41.790{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:41.778{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2B00-00000000BA02}2664C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 23542300x800000000000000079070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:41.258{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92057CFC8682F6549892E396A7AD02F5,SHA256=FA10354D9DA59239FBDAF22DB11FE104A888529C297AFB5E952934F97F3D524B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:41.089{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FB5F-63D0-3102-00000000BB02}3068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:41.086{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED83-63D0-8200-00000000BB02}508C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 23542300x800000000000000036230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:41.083{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5480FCF69251C89F274B9E707630616,SHA256=B117F4BB28A50699FC48B83AEF61D10D48070EF60FB85820AA63DE545E6B5A6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:41.081{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED1B-63D0-6D00-00000000BB02}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:41.079{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:41.077{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-4000-00000000BB02}1980C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:41.074{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-3C00-00000000BB02}2964C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:41.073{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2B00-00000000BB02}2876C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:41.071{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2600-00000000BB02}2596C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:41.070{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2500-00000000BB02}2436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:41.065{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2200-00000000BB02}1172C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:41.060{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:41.047{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:41.044{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1C00-00000000BB02}1892C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:41.042{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1A00-00000000BB02}1856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:41.030{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1800-00000000BB02}1732C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:41.026{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1700-00000000BB02}1240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000079069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:41.111{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:41.099{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:41.085{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:41.076{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2700-00000000BA02}2576C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:41.074{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2600-00000000BA02}2568C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:41.063{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2500-00000000BA02}2484C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:41.059{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED14-63D0-2300-00000000BA02}2340C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:41.057{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1800-00000000BA02}1992C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:41.052{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1700-00000000BA02}1492C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:41.040{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1600-00000000BA02}1324C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:41.022{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1500-00000000BA02}1152C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:41.016{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1400-00000000BA02}344C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:41.007{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1300-00000000BA02}364C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000036215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:41.010{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1600-00000000BB02}1192C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000079082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:42.823{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FDCA-63D0-BF03-00000000BA02}4124C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:42.823{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:42.823{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:42.823{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:42.823{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:42.823{45AAC21C-ED08-63D0-0500-00000000BA02}420788C:\Windows\system32\csrss.exe{45AAC21C-FDCA-63D0-BF03-00000000BA02}4124C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000079076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:42.823{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FDCA-63D0-BF03-00000000BA02}4124C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000079075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:42.824{45AAC21C-FDCA-63D0-BF03-00000000BA02}4124C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000079074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:42.327{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF2BD86D5FD5CC3CC6FE35F48B20AF26,SHA256=479DE4A530532AD120A8EE428C5545D649E0514D9387AB4B0316BC4306900DDC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:39.099{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50552-false10.0.1.12-8000- 23542300x800000000000000036233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:42.075{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57A8A00F18A3A741329BF6473988AFAC,SHA256=403B17B90469E758145B71D906C1B5DB2DDFF84F9D3A6724279ED8BAF16767FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:43.179{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90AB7A012BAA50F7DA56796EF51BAD43,SHA256=58EA4DAE6EC38FD0BDC683F482EC00ED6300D48DB1886F7D1A3D3BA5E6C0A326,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:43.957{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=992FD9685C252C3AE3502B78D8467EE3,SHA256=5340D217C12CE6CA11F02722D581FECDEADDFD67C63FF77CA3D110ACC5828BBC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:43.862{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FDCB-63D0-C103-00000000BA02}7820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:43.861{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3300-00000000BA02}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:43.859{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3100-00000000BA02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:43.859{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:43.859{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:43.859{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:43.859{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:43.859{45AAC21C-ED08-63D0-0500-00000000BA02}420536C:\Windows\system32\csrss.exe{45AAC21C-FDCB-63D0-C103-00000000BA02}7820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000079098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:43.858{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FDCB-63D0-C103-00000000BA02}7820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000079097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:43.858{45AAC21C-FDCB-63D0-C103-00000000BA02}7820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000079096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:43.857{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2F00-00000000BA02}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 23542300x800000000000000079095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:43.738{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=45DFF04A72922BB4E4E9BF9BB1D8F8CA,SHA256=432854BA8B4B8A4642D71037B121925ED7A883547F92347968B6786E081D7F6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:43.600{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED5C-63D0-A400-00000000BA02}5320C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:43.565{45AAC21C-FDCB-63D0-C003-00000000BA02}52043908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000079092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:43.432{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ilosieif.default-release\datareporting\glean\db\data.safe.binMD5=53375052E6C335CF8BFEB462C37CCAD5,SHA256=4B97C88E5895ACC436209887F27CA442135ED0E3C3FFF6B4CE5D17CB61503CFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:43.413{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D907A52A587CD5A89DE991934C5B6836,SHA256=9CC2BF8C1E302CE26370C2674CC0EE1943992CF54EA0DF6DE8F5EBEE8B014824,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:43.345{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FDCB-63D0-C003-00000000BA02}5204C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:43.342{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:43.342{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:43.342{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:43.342{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:43.342{45AAC21C-ED08-63D0-0500-00000000BA02}420780C:\Windows\system32\csrss.exe{45AAC21C-FDCB-63D0-C003-00000000BA02}5204C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000079084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:43.341{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FDCB-63D0-C003-00000000BA02}5204C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000079083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:43.341{45AAC21C-FDCB-63D0-C003-00000000BA02}5204C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:44.278{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3AC1862F921C25E46A337976B28F44A,SHA256=B354286A341D0D7084F666C90E2AE28930401216ADCECDB84D78234999EE4278,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:44.762{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:44.762{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000079143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:44.622{45AAC21C-ED18-63D0-2C00-00000000BA02}2672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=17CED7EA6B28B31AD4060142F18CB760,SHA256=997A6BD7103F0D7B86CF4B7E93BDCFF5757006D5189A08234135E29EFFA541F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:44.581{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=527020EBF5274898781E6D524BAB154D,SHA256=508AF9C92861E0ED3F85156ACC93ECC16B39364499F11089C77BC5334C022BE5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:44.577{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99E-63D0-4403-00000000BA02}4716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:44.574{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4303-00000000BA02}220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:44.571{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4203-00000000BA02}8108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:44.569{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99C-63D0-4103-00000000BA02}4940C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:44.565{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F998-63D0-3F03-00000000BA02}6856C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:44.564{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F993-63D0-3A03-00000000BA02}5848C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:44.560{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F990-63D0-3703-00000000BA02}5072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:44.553{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F990-63D0-3603-00000000BA02}7836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:44.550{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3403-00000000BA02}8152C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:44.544{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3303-00000000BA02}5868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:44.538{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3203-00000000BA02}1380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:44.522{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3103-00000000BA02}7700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:44.504{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:44.488{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:44.487{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A202-00000000BA02}5720C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:44.485{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A102-00000000BA02}7492C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:44.481{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F3FF-63D0-5202-00000000BA02}7716C:\Program Files\Process Hacker 2\ProcessHacker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:44.479{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED93-63D0-C200-00000000BA02}5684C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:44.459{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:44.449{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:44.417{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:44.407{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-8E00-00000000BA02}432C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:44.397{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4D-63D0-8900-00000000BA02}4888C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:44.392{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED36-63D0-8100-00000000BA02}4176C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:44.391{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED35-63D0-7F00-00000000BA02}3432C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:44.387{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED2C-63D0-7B00-00000000BA02}532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:44.385{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:44.383{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1B-63D0-4500-00000000BA02}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:44.379{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-4100-00000000BA02}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:44.378{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-3800-00000000BA02}3276C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:44.077{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FDCB-63D0-C103-00000000BA02}7820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:44.077{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FDCB-63D0-C103-00000000BA02}7820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:44.077{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FDCB-63D0-C103-00000000BA02}7820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:44.077{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FDCB-63D0-C103-00000000BA02}7820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000036237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:45.370{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4124FB1A82415D6ACDF1CBB8F9ED304,SHA256=4650125359896FB2EA49C0459C45CADADA071855D0D35348F1F42ABA1AEA351D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:45.460{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2A7544512FE027CFAEFC2A3D8B5A63A,SHA256=9818864C7C0141D9111F5993F6D252C92740A39458EE6388DC9A443344A0EFA3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000079146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:42.725{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49472-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000079161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:46.544{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACA632157CF3560DBF5DEC32B0EF9FC1,SHA256=54612E36D4867145CAA1A24D85A85FD3F7CB526391EB8C6E266F5391085C038B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:46.479{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:46.479{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:46.479{45AAC21C-FDCE-63D0-C203-00000000BA02}65247940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000036238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:46.446{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EE6274F863EC44C6314F9C61E393EED,SHA256=C0844D4F0433025F5BBDCFAD6C056A886434D0FCDBCFEA081CACFB75D504AD5B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:46.244{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FDCE-63D0-C203-00000000BA02}6524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:46.244{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:46.244{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:46.244{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:46.244{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:46.244{45AAC21C-ED08-63D0-0500-00000000BA02}420780C:\Windows\system32\csrss.exe{45AAC21C-FDCE-63D0-C203-00000000BA02}6524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000079151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:46.243{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FDCE-63D0-C203-00000000BA02}6524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000079150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:46.243{45AAC21C-FDCE-63D0-C203-00000000BA02}6524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000079149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:43.692{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local49473-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x800000000000000079148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:43.692{45AAC21C-ED18-63D0-2700-00000000BA02}2576C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local49473-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 23542300x800000000000000036239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:47.546{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=674AB79B41EE11BF121D4B21B7E07272,SHA256=642020037AF203FA74AA81A33634FC6F4C9C0C0075A468452341B784C8BF0EE0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:47.841{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FDCF-63D0-C403-00000000BA02}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:47.841{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:47.841{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:47.841{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:47.841{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:47.841{45AAC21C-ED08-63D0-0500-00000000BA02}420788C:\Windows\system32\csrss.exe{45AAC21C-FDCF-63D0-C403-00000000BA02}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000079173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:47.841{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FDCF-63D0-C403-00000000BA02}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000079172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:47.843{45AAC21C-FDCF-63D0-C403-00000000BA02}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000079171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:47.572{45AAC21C-FDCF-63D0-C303-00000000BA02}65085960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000079170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:47.511{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADDD69454A11BD84A6DCEB7ABE479466,SHA256=824B840BCAA48BB819863ECA8DC1A43F21DA6CF47249C6D5FE875BB32A106CCE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:47.296{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FDCF-63D0-C303-00000000BA02}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:47.296{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:47.296{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:47.296{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:47.296{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:47.296{45AAC21C-ED08-63D0-0500-00000000BA02}420780C:\Windows\system32\csrss.exe{45AAC21C-FDCF-63D0-C303-00000000BA02}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000079163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:47.296{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FDCF-63D0-C303-00000000BA02}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000079162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:47.297{45AAC21C-FDCF-63D0-C303-00000000BA02}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:48.644{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31C309064EBFB9A3D228D44E949A6F08,SHA256=13F41434D518C902CE3D27EA9431BFF88767C63F031FCF25955359F41D9F22F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:48.613{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E596779817D2EF3750351C3FF57D78A,SHA256=CF9F70767EBB6CCC4C6A763A018FA9836D8A354B836A24D46CF7CC06CEC84E2B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:48.091{45AAC21C-FDCF-63D0-C403-00000000BA02}70725408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:48.073{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FDCF-63D0-C403-00000000BA02}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:48.073{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FDCF-63D0-C403-00000000BA02}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:48.073{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FDCF-63D0-C403-00000000BA02}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:48.073{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FDCF-63D0-C403-00000000BA02}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000036242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:49.854{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CDAD7226445C137C3636751032D2EA6,SHA256=5DB229E1B57C1352EAF55BCD5CA77E185380B6B805B3611B4D8318B18BA9C9BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:49.892{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FDD1-63D0-C503-00000000BA02}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:49.892{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:49.892{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:49.892{45AAC21C-ED08-63D0-0500-00000000BA02}420780C:\Windows\system32\csrss.exe{45AAC21C-FDD1-63D0-C503-00000000BA02}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000079190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:49.892{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:49.892{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:49.891{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FDD1-63D0-C503-00000000BA02}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000079187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:49.891{45AAC21C-FDD1-63D0-C503-00000000BA02}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000079186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:49.691{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65BFED0D9DF03CA080DE90E45FC8696D,SHA256=5760B15E0F9EDDD382F7C37A5526917B67C87DCDE727F658058FF1D9FED5F631,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:44.929{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50553-false10.0.1.12-8000- 23542300x800000000000000036243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:50.946{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16F82626AC3DC0ACE136B2AEBE8F51F4,SHA256=933FA07014B5FF5A00B2E96DE11A30BB3D6F1A0C73C84736A7B9AD104834AC6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:50.792{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F77273773FD951CF7A451EA823FB70ED,SHA256=B6B38E40520FDCB83DEB790D6B3F12A0FE340F5DC6867534FE3C55D24F84EE5A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:50.074{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FDD1-63D0-C503-00000000BA02}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:50.074{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FDD1-63D0-C503-00000000BA02}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:50.074{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FDD1-63D0-C503-00000000BA02}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:50.074{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FDD1-63D0-C503-00000000BA02}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000079207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:51.911{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9549A3CD5A0EF3E5A187FE1F5ED4301,SHA256=01E2793D2E1671002975523D128D1C315108A065CB731A562F67F2DF777B81F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:51.811{45AAC21C-ED4E-63D0-9300-00000000BA02}13362660C:\Windows\Explorer.EXE{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:51.811{45AAC21C-ED4E-63D0-9300-00000000BA02}13362660C:\Windows\Explorer.EXE{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:51.811{45AAC21C-ED4E-63D0-9300-00000000BA02}13362660C:\Windows\Explorer.EXE{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:51.742{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:51.742{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000079201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:48.691{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49474-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000079200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:51.008{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=13AA671F200A560EB2FC7AA464E20A66,SHA256=2FA67D974FDCFAF5C4B63F1A53C81FB58E0488FF9231554D46C4FEEE19D65975,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:52.928{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=686CCEAC2BEE64DBD5EAD50E984DFDF8,SHA256=FBED5FC6429747090907DD9726170189091EDA5D62E4ABCB2D05B25E23AC987E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:52.029{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E236637A50566688A6081055974C73C,SHA256=4CE72D6512BACE6DE39DDAE0CC197398E92062244085F52B4383CD58598475FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:50.040{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50554-false10.0.1.12-8000- 23542300x800000000000000036245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:53.114{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46A3024F1D7066B4D55E0ECEAAC041B3,SHA256=E478AED28F7097BADEBDFE661C7ADF07576B367DA7EBADCE52B1741E9D5E3717,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:53.243{45AAC21C-ED4E-63D0-9300-00000000BA02}13362660C:\Windows\Explorer.EXE{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:53.243{45AAC21C-ED4E-63D0-9300-00000000BA02}13362660C:\Windows\Explorer.EXE{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:53.243{45AAC21C-ED4E-63D0-9300-00000000BA02}13362660C:\Windows\Explorer.EXE{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:53.159{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:53.159{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:53.159{45AAC21C-ED4E-63D0-9300-00000000BA02}13362660C:\Windows\Explorer.EXE{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:53.159{45AAC21C-ED4E-63D0-9300-00000000BA02}13362660C:\Windows\Explorer.EXE{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:53.159{45AAC21C-ED4E-63D0-9300-00000000BA02}13362660C:\Windows\Explorer.EXE{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000036247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:54.216{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44A84D648D34F99CD00A8760ED506716,SHA256=E2FC211345998F994EBCF02ED77F9B4F976A08B00A57CEED0B070330464E5EB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:54.029{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5A62E3E682586CA289ED2EE7F8CF0EE,SHA256=F3B1AAC539548E7F63E363C2FE3030FE2D221064C232D10AD5E0AC6A9DF21CEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:55.316{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97A892411CD38F087EC048751688B7B4,SHA256=FD259DF1FF32A1F174704D10F9946D3E34375F25B44A83564A715A0FD958465C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.716{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=8E3160023137E99B037418F58A5ACB97,SHA256=7ED4AFF9CB14F96C933288E80E3D849E9565B17024C991EFAE8E3807483C7E92,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.661{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000079298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.661{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000079297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.661{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 23542300x800000000000000079296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.319{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4366106A38C830EE0E29C5870FDED907,SHA256=7105CC96F0444E7C501E6ED079687BD3D68331BB14223AD4669E04FEF483E352,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.299{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000079294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.298{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000079293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.277{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000079292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.277{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000079291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.277{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000079290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.230{45AAC21C-ED08-63D0-0B00-00000000BA02}6367276C:\Windows\system32\lsass.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.230{45AAC21C-F6CE-63D0-DF02-00000000BA02}3683128C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1038C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(000000000AC311EA)|UNKNOWN(000000000ECD9AD2)|UNKNOWN(000000000ECD9A3E)|UNKNOWN(0000000019A9730D)|UNKNOWN(0000000019A9722F)|UNKNOWN(0000000019A9D829)|UNKNOWN(0000000019A9D681)|UNKNOWN(0000000019A9D639)|UNKNOWN(0000000019A9CB1A)|UNKNOWN(0000000019A9D426)|UNKNOWN(0000000019A9D23B)|UNKNOWN(0000000019A9CFEC)|UNKNOWN(0000000019A9CBF7) 10341000x800000000000000079288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.230{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000079287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.230{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000079286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.214{45AAC21C-F6CE-63D0-DF02-00000000BA02}3681172C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000139D96DA)|UNKNOWN(00000000139D90D0)|UNKNOWN(00000000139D8BB8)|UNKNOWN(00000000139D80A4)|UNKNOWN(00000000139D74F5)|UNKNOWN(0000000011C318BA)|UNKNOWN(0000000011C31297)|UNKNOWN(0000000008A8B78D)|UNKNOWN(00000000039B1AA7)|UNKNOWN(0000000009C1DC2E)|UNKNOWN(00000000037CB965)|UNKNOWN(00000000037CAFE6)|UNKNOWN(00000000037CAF20)|C:\Users\Administrator\Downloads\dnSpy-net-win32\bin\System.Private.CoreLib.dll+2575d1(wow64) 10341000x800000000000000079285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.214{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2cb0(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2c32(wow64)|C:\Windows\System32\KERNELBASE.dll+153d25(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000079284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.214{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000079283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.194{45AAC21C-F6CE-63D0-DF02-00000000BA02}3686288C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(000000000AC31E67)|C:\Users\Administrator\Downloads\dnSpy-net-win32\bin\System.Diagnostics.Process.dll+13bcf(wow64)|C:\Users\Administrator\Downloads\dnSpy-net-win32\bin\System.Diagnostics.Process.dll+168b9(wow64)|C:\Users\Administrator\Downloads\dnSpy-net-win32\bin\System.Diagnostics.Process.dll+d8ba(wow64)|UNKNOWN(00000000139B7000)|UNKNOWN(00000000139B6DE0)|UNKNOWN(00000000139B6C7E)|UNKNOWN(00000000139B6BC4)|UNKNOWN(000000000AC3955E)|UNKNOWN(000000000AC393B9)|UNKNOWN(00000000037DDD23)|UNKNOWN(0000000008A8F9AD)|UNKNOWN(0000000008A8F297)|UNKNOWN(0000000008A8EFFD) 10341000x800000000000000079282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.194{45AAC21C-F6CE-63D0-DF02-00000000BA02}3686288C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(000000000AC31E67)|C:\Users\Administrator\Downloads\dnSpy-net-win32\bin\System.Diagnostics.Process.dll+13814(wow64)|C:\Users\Administrator\Downloads\dnSpy-net-win32\bin\System.Diagnostics.Process.dll+e8b9(wow64)|C:\Users\Administrator\Downloads\dnSpy-net-win32\bin\System.Diagnostics.Process.dll+e99e(wow64)|UNKNOWN(00000000139B6DE0)|UNKNOWN(00000000139B6C7E)|UNKNOWN(00000000139B6BC4)|UNKNOWN(000000000AC3955E)|UNKNOWN(000000000AC393B9)|UNKNOWN(00000000037DDD23)|UNKNOWN(0000000008A8F9AD)|UNKNOWN(0000000008A8F297)|UNKNOWN(0000000008A8EFFD)|UNKNOWN(000000000AC7025C) 10341000x800000000000000079281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.194{45AAC21C-F6CE-63D0-DF02-00000000BA02}3686288C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(000000000AC31E67)|C:\Users\Administrator\Downloads\dnSpy-net-win32\bin\System.Diagnostics.Process.dll+13bcf(wow64)|C:\Users\Administrator\Downloads\dnSpy-net-win32\bin\System.Diagnostics.Process.dll+168b9(wow64)|C:\Users\Administrator\Downloads\dnSpy-net-win32\bin\System.Diagnostics.Process.dll+d8ba(wow64)|UNKNOWN(000000000AC3A340)|UNKNOWN(000000000AC399FC)|UNKNOWN(000000000AC394AA)|UNKNOWN(000000000AC393B9)|UNKNOWN(00000000037DDD23)|UNKNOWN(0000000008A8F9AD)|UNKNOWN(0000000008A8F297)|UNKNOWN(0000000008A8EFFD)|UNKNOWN(000000000AC7025C)|UNKNOWN(000000000AB3F645) 10341000x800000000000000079280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.194{45AAC21C-F6CE-63D0-DF02-00000000BA02}3686288C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(000000000AC31E67)|C:\Users\Administrator\Downloads\dnSpy-net-win32\bin\System.Diagnostics.Process.dll+13814(wow64)|C:\Users\Administrator\Downloads\dnSpy-net-win32\bin\System.Diagnostics.Process.dll+e8b9(wow64)|C:\Users\Administrator\Downloads\dnSpy-net-win32\bin\System.Diagnostics.Process.dll+e99e(wow64)|UNKNOWN(000000000AC399FC)|UNKNOWN(000000000AC394AA)|UNKNOWN(000000000AC393B9)|UNKNOWN(00000000037DDD23)|UNKNOWN(0000000008A8F9AD)|UNKNOWN(0000000008A8F297)|UNKNOWN(0000000008A8EFFD)|UNKNOWN(000000000AC7025C)|UNKNOWN(000000000AB3F645)|UNKNOWN(000000000AB3F4FE) 10341000x800000000000000079279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.194{45AAC21C-F6CE-63D0-DF02-00000000BA02}3686288C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(000000000AC39C2A)|UNKNOWN(000000000AC39ABF)|UNKNOWN(000000000AC399CF)|UNKNOWN(000000000AC394AA)|UNKNOWN(000000000AC393B9)|UNKNOWN(00000000037DDD23)|UNKNOWN(0000000008A8F9AD)|UNKNOWN(0000000008A8F297)|UNKNOWN(0000000008A8EFFD)|UNKNOWN(000000000AC7025C)|UNKNOWN(000000000AB3F645)|UNKNOWN(000000000AB3F4FE)|UNKNOWN(000000000AB3F438)|C:\Users\Administrator\Downloads\dnSpy-net-win32\bin\System.Private.CoreLib.dll+2575d1(wow64) 23542300x800000000000000079278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.194{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D7E9FC689F9628A74978A5F024A28F7,SHA256=69A5E5F6708D4910720810854511A71CC49E67CAE1513757960D5DB4E3540668,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.194{45AAC21C-F6CE-63D0-DF02-00000000BA02}3686288C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(000000000AC31E67)|C:\Users\Administrator\Downloads\dnSpy-net-win32\bin\System.Diagnostics.Process.dll+13bcf(wow64)|C:\Users\Administrator\Downloads\dnSpy-net-win32\bin\System.Diagnostics.Process.dll+168b9(wow64)|C:\Users\Administrator\Downloads\dnSpy-net-win32\bin\System.Diagnostics.Process.dll+15b8f(wow64)|C:\Users\Administrator\Downloads\dnSpy-net-win32\bin\System.Diagnostics.Process.dll+fdd2(wow64)|UNKNOWN(000000000AC31A9E)|UNKNOWN(000000000AC30D19)|UNKNOWN(00000000039BFD1F)|UNKNOWN(0000000008A8F740)|UNKNOWN(0000000008A8F297)|UNKNOWN(0000000008A8EFFD)|UNKNOWN(000000000AC7025C)|UNKNOWN(000000000AB3F645)|UNKNOWN(000000000AB3F4FE) 10341000x800000000000000079276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.194{45AAC21C-F6CE-63D0-DF02-00000000BA02}3686288C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(000000000AC31E67)|C:\Users\Administrator\Downloads\dnSpy-net-win32\bin\System.Diagnostics.Process.dll+13814(wow64)|C:\Users\Administrator\Downloads\dnSpy-net-win32\bin\System.Diagnostics.Process.dll+e8b9(wow64)|C:\Users\Administrator\Downloads\dnSpy-net-win32\bin\System.Diagnostics.Process.dll+e99e(wow64)|UNKNOWN(000000000AC30D19)|UNKNOWN(00000000039BFD1F)|UNKNOWN(0000000008A8F740)|UNKNOWN(0000000008A8F297)|UNKNOWN(0000000008A8EFFD)|UNKNOWN(000000000AC7025C)|UNKNOWN(000000000AB3F645)|UNKNOWN(000000000AB3F4FE)|UNKNOWN(000000000AB3F438)|C:\Users\Administrator\Downloads\dnSpy-net-win32\bin\System.Private.CoreLib.dll+2575d1(wow64) 10341000x800000000000000079275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.194{45AAC21C-F6CE-63D0-DF02-00000000BA02}3686288C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1038C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(000000000AC311EA)|UNKNOWN(000000000AC30C02)|UNKNOWN(00000000039BFD1F)|UNKNOWN(0000000008A8F740)|UNKNOWN(0000000008A8F297)|UNKNOWN(0000000008A8EFFD)|UNKNOWN(000000000AC7025C)|UNKNOWN(000000000AB3F645)|UNKNOWN(000000000AB3F4FE)|UNKNOWN(000000000AB3F438)|C:\Users\Administrator\Downloads\dnSpy-net-win32\bin\System.Private.CoreLib.dll+2575d1(wow64)|UNKNOWN(0000000019A9CB1A)|C:\Users\Administrator\Downloads\dnSpy-net-win32\bin\System.Private.CoreLib.dll+2565d2(wow64)|C:\Users\Administrator\Downloads\dnSpy-net-win32\bin\coreclr.dll+11c30f(wow64) 10341000x800000000000000079274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.194{45AAC21C-F6CE-63D0-DF02-00000000BA02}3681172C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(0000000008A8EBB7)|UNKNOWN(0000000011C317D9)|UNKNOWN(0000000011C31297)|UNKNOWN(0000000008A8B78D)|UNKNOWN(00000000039B1AA7)|UNKNOWN(0000000009C1DC2E)|UNKNOWN(00000000037CB965)|UNKNOWN(00000000037CAFE6)|UNKNOWN(00000000037CAF20)|C:\Users\Administrator\Downloads\dnSpy-net-win32\bin\System.Private.CoreLib.dll+2575d1(wow64)|UNKNOWN(0000000019A9CB1A)|UNKNOWN(00000000035258ED)|C:\Users\Administrator\Downloads\dnSpy-net-win32\bin\coreclr.dll+11c30f(wow64)|C:\Users\Administrator\Downloads\dnSpy-net-win32\bin\coreclr.dll+6c07b(wow64) 10341000x800000000000000079273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.177{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2cb0(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2c32(wow64)|C:\Windows\System32\KERNELBASE.dll+153d25(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000079272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.177{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2cb0(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2c32(wow64)|C:\Windows\System32\KERNELBASE.dll+153d25(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000079271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.161{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33c57(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6a1(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+451c0(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2acac(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c1ab(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+440da(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c447(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000079270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.161{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000079269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.161{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000079268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.161{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000079267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.161{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000079266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.161{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000079265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.145{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000079264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.145{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000079263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.145{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000079262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.145{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000079261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.145{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000079260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.145{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000079259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.145{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000079258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.145{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000079257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.145{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000079256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.130{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2cb0(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2c32(wow64)|C:\Windows\System32\KERNELBASE.dll+153d25(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000079255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.130{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2cb0(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2c32(wow64)|C:\Windows\System32\KERNELBASE.dll+153d25(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000079254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.130{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000079253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.130{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000079252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.130{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000079251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.114{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000079250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.114{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000079249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.114{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2cb0(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2c32(wow64)|C:\Windows\System32\KERNELBASE.dll+153d25(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000079248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.114{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000079247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.114{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000079246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.114{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000079245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.114{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000079244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.114{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000079243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.114{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000079242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.110{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000079241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.110{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000079240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.110{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000079239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.110{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000079238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.110{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000079237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.110{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000079236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.094{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000079235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.094{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000079234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.094{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2d09(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2c32(wow64)|C:\Windows\System32\KERNELBASE.dll+153d25(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000079233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.094{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x12367bC:\Windows\SYSTEM32\ntdll.dll+a9424|C:\Windows\System32\wow64.dll+31e13|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000079232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.094{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33c57(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6a1(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+451c0(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2acac(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+1e358(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2df7d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c3ee(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000079231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.094{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x101479C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a220(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+1e358(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2df7d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c3ee(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000079230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.094{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x101479C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a9fb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+43d82(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2df59(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c3ee(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000079229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.094{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.094{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.094{45AAC21C-ED35-63D0-7E00-00000000BA02}12364116C:\Windows\system32\csrss.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000079226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.094{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.094{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.094{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9888(wow64)|C:\Windows\System32\KERNELBASE.dll+d856c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+840bd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+69fef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2df31(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c3ee(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x800000000000000079223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.105{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin1.0.0.0---Stub.exe"C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin"C:\Users\Administrator\Downloads\asyncrat\bin\ATTACKRANGE\Administrator{45AAC21C-ED4C-63D0-BD09-0A0000000000}0xa09bd2HighMD5=6ED2CF43291BFAE767FC30810080B368,SHA256=3DED72380741082FABCEE8CD4F7CB2E09C67FF53C477DE3173A97616BB197396,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe"C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe" 10341000x800000000000000079222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.094{45AAC21C-ED0A-63D0-1300-00000000BA02}3643180C:\Windows\System32\svchost.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.094{45AAC21C-ED4E-63D0-9300-00000000BA02}13362660C:\Windows\Explorer.EXE{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.094{45AAC21C-ED4E-63D0-9300-00000000BA02}13362660C:\Windows\Explorer.EXE{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.094{45AAC21C-ED4E-63D0-9300-00000000BA02}13362660C:\Windows\Explorer.EXE{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000079218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:55.061{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED449252D95F773761CBCD3B9238BEAE,SHA256=CAD5D2B451C7592F767EB8F2FF99AC004F4F053D3EC936EC0AD33F093492F966,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:56.398{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09C38F4E206FA04867B767EFDA441A51,SHA256=BEFAF50697C11FA86CCD45382C8377FC539B8BCA06D6D3BC78434494FAE75535,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:56.149{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=71AD1D390825CF58F6F6AB9512682C68,SHA256=94096834742F116CAE6BFA69AB40C908925797FF8C332C9DC26B7FF4AFAB20DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:56.081{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD8CE1FF843144A65B5B18D87D521DC2,SHA256=9445BFAA4B2445467B2BE6332200D4D4C1F86659FD9ED7E88C89126025CD3A34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:56.081{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:56.081{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:56.081{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:56.081{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000079301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:53.794{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49475-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000036250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:57.482{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57C718694F64F46C56304EE25F26842D,SHA256=B9A8CA2C9229D55A131167319042F3161F368F8DDECEA0AB8251D2412A8EF10C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:57.170{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CDC7B79BCAA5AE08F121F61180D07D1,SHA256=7F5E3D19FD26FF1728710315F02161FA8B85268F9D057B2491FC968D79FF0099,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:57.116{45AAC21C-ED5C-63D0-A400-00000000BA02}53205776C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D003D0) 10341000x800000000000000079309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:57.116{45AAC21C-ED5C-63D0-A400-00000000BA02}53205776C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D003D0) 10341000x800000000000000079308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:57.115{45AAC21C-ED5C-63D0-A400-00000000BA02}53205776C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D003D0) 23542300x800000000000000036252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:58.581{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=697D95D7AF95DCA43D6597E24A81E397,SHA256=4F385A9C09B48F80ABED2FC43EEEE821577C0395AF2601A62FA7B33D9CF58B92,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:58.571{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000079321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:58.571{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000079320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:58.437{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000079319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:58.437{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000079318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:58.437{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000079317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:58.437{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000079316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:58.437{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000079315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:58.437{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000079314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:58.398{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000079313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:58.398{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000079312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:58.165{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F63A33050AA334410210E85792286A2C,SHA256=7DA5966F8DA631748CF3CBEAB53A7EAFE48A8DAB034E47C4DCD8D270B71A14F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:58.342{72106695-ED09-63D0-2000-00000000BB02}2008NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=6E30752CD924E26DF8EA0755B387BB9C,SHA256=32E84F192C082DBA5EE87E76CAEB2BDCC7547716CFACE1315C95D4805678CB8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:59.681{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=533CFF0E0FCBE44B9B95BC07E0413534,SHA256=1EF7FC22FB50C666D51EEF5FA0B8ABD1A41C2A952ABE193AD926795478341746,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:59.238{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE10E0E49A8B46047E05DE463250D41C,SHA256=B8E4AAA222BB5144FB07F6B13CBFF9BD171825E4714410AFE18D6A9DE7129FBD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:00:55.986{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50555-false10.0.1.12-8000- 10341000x800000000000000036267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:00.969{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1500-00000000BB02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:00.958{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1400-00000000BB02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:00.951{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1300-00000000BB02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:00.942{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1200-00000000BB02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:00.934{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1100-00000000BB02}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:00.929{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1000-00000000BB02}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:00.923{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0F00-00000000BB02}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:00.913{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0E00-00000000BB02}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:00.899{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0D00-00000000BB02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:00.884{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:00.876{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0B00-00000000BB02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:00.874{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0900-00000000BB02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 23542300x800000000000000036255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:00.771{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B280894BA6DC11638E7ACE0DCD88ACD5,SHA256=04512976271BCA53337E7F174F8518347070790612AB1D61B878FCA8F9F91A9D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:00.963{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:00.959{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:00.953{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:00.947{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2700-00000000BA02}2576C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:00.946{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2600-00000000BA02}2568C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:00.940{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2500-00000000BA02}2484C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:00.937{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED14-63D0-2300-00000000BA02}2340C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:00.936{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1800-00000000BA02}1992C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:00.934{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1700-00000000BA02}1492C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:00.928{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1600-00000000BA02}1324C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:00.918{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1500-00000000BA02}1152C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:00.913{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1400-00000000BA02}344C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:00.908{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1300-00000000BA02}364C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:00.900{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1200-00000000BA02}408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:00.893{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1100-00000000BA02}704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:00.870{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1000-00000000BA02}444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:00.861{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0F00-00000000BA02}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:00.854{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0E00-00000000BA02}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:00.846{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0D00-00000000BA02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:00.839{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0C00-00000000BA02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:00.805{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:00.802{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0900-00000000BA02}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:00.637{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000079340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:00.637{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000079339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:00.622{45AAC21C-ED08-63D0-0B00-00000000BA02}6367276C:\Windows\system32\lsass.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:00.622{45AAC21C-ED08-63D0-0B00-00000000BA02}6367276C:\Windows\system32\lsass.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:00.589{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000079336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:00.588{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 13241300x800000000000000079335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-25 10:01:00.475{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000079334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-25 10:01:00.475{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0041c73b) 13241300x800000000000000079333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-25 10:01:00.475{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d9309b-0x8b3c1b21) 13241300x800000000000000079332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-25 10:01:00.475{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d930a3-0xed008321) 13241300x800000000000000079331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-25 10:01:00.475{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d930ac-0x4ec4eb21) 13241300x800000000000000079330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-25 10:01:00.475{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000079329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-25 10:01:00.475{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0041c73b) 13241300x800000000000000079328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-25 10:01:00.475{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d9309b-0x8b3c1b21) 13241300x800000000000000079327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-25 10:01:00.475{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d930a3-0xed008321) 13241300x800000000000000079326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-25 10:01:00.475{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d930ac-0x4ec4eb21) 23542300x800000000000000079325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:00.291{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=234B9303E72D0EC444EA042C2DA38948,SHA256=A401FB9B504CD8B84034BE92193C42C5EE9C47628035B4BE4055FAC50A32B6ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:00.091{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ilosieif.default-release\datareporting\glean\db\data.safe.binMD5=FE0BCB8C43A01F7273C6447EA73C6B95,SHA256=0F99F032F3FFA8EBD6F30E02A95FBB64BFFCDB7851C959DB77E25CCA256FF071,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:01.978{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E06084AB4AEBDB1AEE46E765D8A48763,SHA256=1FB07A9487054A2AAAA09E12F6B45A18354898C66FD28922D0FE62098261C53E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:01.472{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42A1866081DFB7C5C0464A220DF8ACAD,SHA256=0561B33B65ABDE11FC0FC493682439013526645B73560228E1D0F75B1CD242B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:01.311{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2E00-00000000BA02}2692C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:01.307{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:01.304{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2B00-00000000BA02}2664C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000036284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:01.097{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FB5F-63D0-3102-00000000BB02}3068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:01.094{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED83-63D0-8200-00000000BB02}508C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:01.088{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED1B-63D0-6D00-00000000BB02}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:01.086{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:01.085{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-4000-00000000BB02}1980C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:01.083{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-3C00-00000000BB02}2964C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:01.082{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2B00-00000000BB02}2876C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:01.080{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2600-00000000BB02}2596C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:01.077{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2500-00000000BB02}2436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:01.073{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2200-00000000BB02}1172C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:01.070{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:01.058{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:01.056{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1C00-00000000BB02}1892C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:01.054{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1A00-00000000BB02}1856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:01.037{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1800-00000000BB02}1732C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:01.033{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1700-00000000BB02}1240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:01.013{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1600-00000000BB02}1192C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 23542300x800000000000000079369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:02.406{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D35F3D02E755B6129B0506CEC4908702,SHA256=64187672B2C47E4A19DB12F4F663B159EC9517C0B405A732F35AC94D7E562E34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:02.029{72106695-ED09-63D0-1C00-00000000BB02}1892NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\respondent-20230125084915-069MD5=4A845FE96E1CB901D2D7264E475C5D0A,SHA256=805658FE4E43678F2368D193C16F752D5AE58460E17C63B3F32526AFB5DF27A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000079368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:00:59.739{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49476-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000079384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:03.991{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:03.939{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:03.924{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-8E00-00000000BA02}432C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:03.906{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4D-63D0-8900-00000000BA02}4888C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:03.898{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED36-63D0-8100-00000000BA02}4176C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:03.896{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED35-63D0-7F00-00000000BA02}3432C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:03.890{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED2C-63D0-7B00-00000000BA02}532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:03.885{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:03.884{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1B-63D0-4500-00000000BA02}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:03.877{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-4100-00000000BA02}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:03.875{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-3800-00000000BA02}3276C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 23542300x800000000000000079373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:03.507{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CF45C5BDE681694B1952C441F09095C,SHA256=0592D44DEF6C83C1E05E1CE72CBCC027A22D4F4B906E02B1B87CE559287965AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:03.076{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE2653ACAB7F0D71F934F9A6B5652225,SHA256=658F2CBEEDF913667F88F9A55C33189285E06E5C3334EAE164399296917DA0C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:03.028{72106695-ED09-63D0-1C00-00000000BB02}1892NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\surveyor-20230125084913-070MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:03.364{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3300-00000000BA02}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:03.361{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3100-00000000BA02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:03.358{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2F00-00000000BA02}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 23542300x800000000000000079407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:04.774{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F99AE6A7E0C19F5586AFE408B3FE03A5,SHA256=9775B34CB90DBB44E2C609ADE849305BCFFCA236763B398505358EF39ADCF2E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:01.105{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50556-false10.0.1.12-8000- 23542300x800000000000000036289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:04.163{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B48EC3D38EE7A69C32C16557A127288E,SHA256=6B628FD821D833173F2720A08FE05A655486321A9FD79807BFED0107634A0824,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:04.443{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:04.443{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:04.230{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:04.224{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99E-63D0-4403-00000000BA02}4716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:04.216{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4303-00000000BA02}220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:04.208{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4203-00000000BA02}8108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:04.200{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99C-63D0-4103-00000000BA02}4940C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:04.195{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F998-63D0-3F03-00000000BA02}6856C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:04.189{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F993-63D0-3A03-00000000BA02}5848C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:04.182{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F990-63D0-3703-00000000BA02}5072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:04.176{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F990-63D0-3603-00000000BA02}7836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:04.170{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3403-00000000BA02}8152C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:04.161{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3303-00000000BA02}5868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:04.158{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3203-00000000BA02}1380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:04.140{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3103-00000000BA02}7700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:04.106{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:04.071{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:04.068{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A202-00000000BA02}5720C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:04.064{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A102-00000000BA02}7492C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:04.056{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F3FF-63D0-5202-00000000BA02}7716C:\Program Files\Process Hacker 2\ProcessHacker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:04.052{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED93-63D0-C200-00000000BA02}5684C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:04.010{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 23542300x800000000000000079408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:05.807{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C42E5B6279CE7F9DD7F9FAB2872400AB,SHA256=F3F4600CBB6272C4298FA2E2BC87C0E56E234FB4281C1077F5732CDB63AD94C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:05.270{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82A7590BEF18E9E8843310A126A8FA13,SHA256=D8D7275F6C2B0344E63864F1F3B7C71B6E9E7777BD3543F9FF69D85C622983CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:06.907{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5ECD5DE1DD8315B1371509D19C0FC3E,SHA256=5478384DE51835D7D1A4011E94FA8198A3E2BAABD523E58DAAFCA8DC2633E859,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:06.362{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE9BF86CC0A629901085CC7FEF6B69EB,SHA256=5720F5FC6ADDC0201CC78507A325C30D5AC8DA849892631B728B399F4DDA3D58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:07.451{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB12756B6311B117D813CE02A6D23B66,SHA256=84F28406ACE7B602A3D117F4C2D56DF7FF3C238B79705D62B79B9F8D1E126DFC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000079410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:04.840{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49477-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000036295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:06.107{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50557-false10.0.1.12-8000- 23542300x800000000000000036294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:08.552{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52211030AE11AC437B44B4066B446A47,SHA256=D9B8517D508D55DFDCDE446111D96F0046E02AF74FCC3C5B4125EB8D9E3E584A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:08.010{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACD096CEC4ABFEAEC97738DB9064B4BA,SHA256=50879A028A42B77F21C144B424FD5D5FDE1BEE076EF2C6F9D43A92D7A3A430DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:09.660{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C9DE70E2D82CD7D400341C9962187B1,SHA256=110994B2F5900ECD0A9A80A551898C0B1B762EDBF0A9C0B466F5FBF6EA4555EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:09.109{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A888EBFC79AA226D349923C38EB7056,SHA256=9897C45718F9FDE5FA4D95992890A50C8E1DB88FBBE5AAAE45410759872B3198,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:10.765{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4333AE8FF80C6AFCF0D1E23D04FF296C,SHA256=7E2EA4756B7A74EBAC2FC9D36DA4C93DA11AD350A667C90E6842365BB793F364,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:10.162{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9360C28253C9DA96515A307EA85D10A6,SHA256=1CC3537E1CB0120D20C6E265418693AED37069BF6BC7F115D12FF17FB9559183,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:11.865{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEFF648E9B018285D4EA3878E5350AD0,SHA256=42A0B72574FE381E08B85DCB04D90099DD2802951C96E259ADE3CE66EDBDF5AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:11.263{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5858248E0908815FF39DA1FF8F7A4A27,SHA256=637F95B6E640E13A44587D69EF359E83E550644116FD2A1A785397CBF21871D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:12.956{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=950DD8D592A0A3D3CABA447E872AAEB9,SHA256=E5BD63B699E772909637566D6BB829B7743515489A8EE29F02D3F1204CC87593,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:12.364{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52AC2A39C0972FB7B55C43FE7E8A0094,SHA256=2C3616B11BF9F5D3060D926BA48A11875716D9C150B05E86C89CBE3A88B0B750,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000079415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:10.713{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49478-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000079417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:13.435{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65C083714A5E9D9E30AB718324D746F7,SHA256=518A232EB1A67F45EADD0586831CF65E294373E69871A0B008795C43089546AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:14.822{45AAC21C-ED18-63D0-2C00-00000000BA02}2672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=4EBBAC546572FDD52DD200F496DB3A62,SHA256=668041DD966B45674B050774CF075042DD9CD2C8A30094713D8822199C5D45AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:14.536{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF87A4AE6AEFB7D687DBF299A836FDC7,SHA256=33F389A6BC54B8166A1664877FE1E6960D9FAA6D4083D5538BDD32AD8C7BD066,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:14.653{72106695-ED08-63D0-1100-00000000BB02}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=A162DA95760B01114851AE68DA3E0000,SHA256=1B2005EE4FC4F261B42D1A266DF42A0FFE1376425AE1BC5D8AAABD347F34727D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:14.062{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C04E514694E1BAB10FE1BFD1D2444FA8,SHA256=1522099BC22C681B8433A3AFDCFDA1820D4849B72CB66F11230DA816565CDC4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:15.941{45AAC21C-ED0A-63D0-1100-00000000BA02}704NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=5FBA947696ECB641CDA8E251D958F040,SHA256=689DA3089D4D848E3FDBDD2F4B343965E33F35069A77EA976DA7977D3AC3532B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:15.623{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4B53B4327988CB26F921D83795FC22A,SHA256=A89ADE0336EFE1EF1AF0686132AC94D912724ED495DD6F016F2530CC087DA4FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:15.153{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DC3321854DF15EEC20CF27637D7B14D,SHA256=A7EB81FFD581822E301A9C23746A7A37170A5B189DF25972122B0D4F99A30144,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:12.024{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50558-false10.0.1.12-8000- 23542300x800000000000000079423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:16.780{45AAC21C-ED18-63D0-2F00-00000000BA02}2700NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\respondent-20230125084931-069MD5=FB1204BD5E1FCB9F00F3D30191CDD410,SHA256=AD3DE377B45C073DC7811942D8C17D2EDF88FCE93F4C4FD49345F5808DA79585,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:16.693{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FA42B7F77C1E1E45B116B858D5A741D,SHA256=EEDB8A8E9A4ECB112208361166D4574F69626BE027272BABC197345050DF0C23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:16.235{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64ABC69265856E3C3F783DC56DD2AB1D,SHA256=1E63419D7225BC449152C3CA0CEEA232C2ED86D8CD169EA006DBAF7C10DED622,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:17.780{45AAC21C-ED18-63D0-2F00-00000000BA02}2700NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\surveyor-20230125084929-070MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:17.762{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6E1C9F8FF6C17265CEDD28CA493C885,SHA256=0FE39313E2BDE5A92E9D6D1ADB02911E934998ECA7C49182F8ACF24C63040C99,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:17.789{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED08-63D0-1300-00000000BB02}740C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:17.789{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED08-63D0-1300-00000000BB02}740C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:17.789{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED08-63D0-1300-00000000BB02}740C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000036305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:17.321{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20F264E2F0B8AABDD1C8E59CF89CB89E,SHA256=32EDDCE935813ECB1869A077B0532935E053579432B0985855CCADB3FFCB46BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:18.419{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39971D82764223F50802137092B7AE7B,SHA256=CC04DE3E0B3EFA6CFCB024E2F7084B06F8E84B452728CBD3DE3DA67C0445334E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:18.994{45AAC21C-FDD7-63D0-C603-00000000BA02}29207220C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED36-63D0-8100-00000000BA02}4176C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000056147BE)|UNKNOWN(00000000056145AB)|UNKNOWN(000000000561320C)|UNKNOWN(0000000005611C4E)|UNKNOWN(000000000561166F)|UNKNOWN(00000000055AF8E5)|UNKNOWN(0000000005392006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000079477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:18.979{45AAC21C-FDD7-63D0-C603-00000000BA02}29207220C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000056147BE)|UNKNOWN(00000000056145AB)|UNKNOWN(000000000561320C)|UNKNOWN(0000000005611C4E)|UNKNOWN(000000000561166F)|UNKNOWN(00000000055AF8E5)|UNKNOWN(0000000005392006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000079476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:18.979{45AAC21C-FDD7-63D0-C603-00000000BA02}29207220C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED0A-63D0-1000-00000000BA02}444C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000056147BE)|UNKNOWN(00000000056145AB)|UNKNOWN(000000000561320C)|UNKNOWN(0000000005611C4E)|UNKNOWN(000000000561166F)|UNKNOWN(00000000055AF8E5)|UNKNOWN(0000000005392006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000079475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:18.963{45AAC21C-FDD7-63D0-C603-00000000BA02}29207220C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-F99D-63D0-4203-00000000BA02}8108C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000056147BE)|UNKNOWN(00000000056145AB)|UNKNOWN(000000000561320C)|UNKNOWN(0000000005611C4E)|UNKNOWN(000000000561166F)|UNKNOWN(00000000055AF8E5)|UNKNOWN(0000000005392006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000079474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:18.948{45AAC21C-FDD7-63D0-C603-00000000BA02}29207220C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED0A-63D0-1400-00000000BA02}344C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000056147BE)|UNKNOWN(00000000056145AB)|UNKNOWN(000000000561320C)|UNKNOWN(0000000005611C4E)|UNKNOWN(000000000561166F)|UNKNOWN(00000000055AF8E5)|UNKNOWN(0000000005392006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000079473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:18.948{45AAC21C-FDD7-63D0-C603-00000000BA02}29207220C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED5C-63D0-A400-00000000BA02}5320C:\Program Files\Aurora-Agent\aurora-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000056147BE)|UNKNOWN(00000000056145AB)|UNKNOWN(000000000561320C)|UNKNOWN(0000000005611C4E)|UNKNOWN(000000000561166F)|UNKNOWN(00000000055AF8E5)|UNKNOWN(0000000005392006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000079472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:18.944{45AAC21C-FDD7-63D0-C603-00000000BA02}29207220C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED0A-63D0-0C00-00000000BA02}848C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000056147BE)|UNKNOWN(00000000056145AB)|UNKNOWN(000000000561320C)|UNKNOWN(0000000005611C4E)|UNKNOWN(000000000561166F)|UNKNOWN(00000000055AF8E5)|UNKNOWN(0000000005392006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000079471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:18.929{45AAC21C-FDD7-63D0-C603-00000000BA02}29207220C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED18-63D0-2600-00000000BA02}2568C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000056147BE)|UNKNOWN(00000000056145AB)|UNKNOWN(000000000561320C)|UNKNOWN(0000000005611C4E)|UNKNOWN(000000000561166F)|UNKNOWN(00000000055AF8E5)|UNKNOWN(0000000005392006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000079470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:18.911{45AAC21C-FDD7-63D0-C603-00000000BA02}29207220C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED0A-63D0-1100-00000000BA02}704C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000056147BE)|UNKNOWN(00000000056145AB)|UNKNOWN(000000000561320C)|UNKNOWN(0000000005611C4E)|UNKNOWN(000000000561166F)|UNKNOWN(00000000055AF8E5)|UNKNOWN(0000000005392006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000079469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:18.911{45AAC21C-FDD7-63D0-C603-00000000BA02}29207220C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000056147BE)|UNKNOWN(00000000056145AB)|UNKNOWN(000000000561320C)|UNKNOWN(0000000005611C4E)|UNKNOWN(000000000561166F)|UNKNOWN(00000000055AF8E5)|UNKNOWN(0000000005392006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000079468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:18.895{45AAC21C-FDD7-63D0-C603-00000000BA02}29207220C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED19-63D0-3300-00000000BA02}2444C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000056147BE)|UNKNOWN(00000000056145AB)|UNKNOWN(000000000561320C)|UNKNOWN(0000000005611C4E)|UNKNOWN(000000000561166F)|UNKNOWN(00000000055AF8E5)|UNKNOWN(0000000005392006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000079467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:18.880{45AAC21C-FDD7-63D0-C603-00000000BA02}29207220C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED35-63D0-7F00-00000000BA02}3432C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000056147BE)|UNKNOWN(00000000056145AB)|UNKNOWN(000000000561320C)|UNKNOWN(0000000005611C4E)|UNKNOWN(000000000561166F)|UNKNOWN(00000000055AF8E5)|UNKNOWN(0000000005392006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000079466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:18.880{45AAC21C-FDD7-63D0-C603-00000000BA02}29207220C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED1B-63D0-4500-00000000BA02}3632C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000056147BE)|UNKNOWN(00000000056145AB)|UNKNOWN(000000000561320C)|UNKNOWN(0000000005611C4E)|UNKNOWN(000000000561166F)|UNKNOWN(00000000055AF8E5)|UNKNOWN(0000000005392006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000079465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:18.864{45AAC21C-FDD7-63D0-C603-00000000BA02}29207220C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000056147BE)|UNKNOWN(00000000056145AB)|UNKNOWN(000000000561320C)|UNKNOWN(0000000005611C4E)|UNKNOWN(000000000561166F)|UNKNOWN(00000000055AF8E5)|UNKNOWN(0000000005392006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000079464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:18.864{45AAC21C-FDD7-63D0-C603-00000000BA02}29207220C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED0A-63D0-1500-00000000BA02}1152C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000056147BE)|UNKNOWN(00000000056145AB)|UNKNOWN(000000000561320C)|UNKNOWN(0000000005611C4E)|UNKNOWN(000000000561166F)|UNKNOWN(00000000055AF8E5)|UNKNOWN(0000000005392006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000079463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:18.849{45AAC21C-FDD7-63D0-C603-00000000BA02}29207220C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED0A-63D0-0F00-00000000BA02}96C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000056147BE)|UNKNOWN(00000000056145AB)|UNKNOWN(000000000561320C)|UNKNOWN(0000000005611C4E)|UNKNOWN(000000000561166F)|UNKNOWN(00000000055AF8E5)|UNKNOWN(0000000005392006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000079462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:18.829{45AAC21C-FDD7-63D0-C603-00000000BA02}29207220C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED18-63D0-2B00-00000000BA02}2664C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000056147BE)|UNKNOWN(00000000056145AB)|UNKNOWN(000000000561320C)|UNKNOWN(0000000005611C4E)|UNKNOWN(000000000561166F)|UNKNOWN(00000000055AF8E5)|UNKNOWN(0000000005392006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000079461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:18.829{45AAC21C-FDD7-63D0-C603-00000000BA02}29207220C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000056147BE)|UNKNOWN(00000000056145AB)|UNKNOWN(000000000561320C)|UNKNOWN(0000000005611C4E)|UNKNOWN(000000000561166F)|UNKNOWN(00000000055AF8E5)|UNKNOWN(0000000005392006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000079460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:18.802{45AAC21C-FDD7-63D0-C603-00000000BA02}29207220C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED0A-63D0-0E00-00000000BA02}1008C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000056147BE)|UNKNOWN(00000000056145AB)|UNKNOWN(000000000561320C)|UNKNOWN(0000000005611C4E)|UNKNOWN(000000000561166F)|UNKNOWN(00000000055AF8E5)|UNKNOWN(0000000005392006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000079459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:18.802{45AAC21C-FDD7-63D0-C603-00000000BA02}29207220C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000056147BE)|UNKNOWN(00000000056145AB)|UNKNOWN(000000000561320C)|UNKNOWN(0000000005611C4E)|UNKNOWN(000000000561166F)|UNKNOWN(00000000055AF8E5)|UNKNOWN(0000000005392006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000079458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:18.787{45AAC21C-FDD7-63D0-C603-00000000BA02}29207220C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED0B-63D0-1700-00000000BA02}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000056147BE)|UNKNOWN(00000000056145AB)|UNKNOWN(000000000561320C)|UNKNOWN(0000000005611C4E)|UNKNOWN(000000000561166F)|UNKNOWN(00000000055AF8E5)|UNKNOWN(0000000005392006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000079457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:18.771{45AAC21C-FDD7-63D0-C603-00000000BA02}29207220C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED0A-63D0-0D00-00000000BA02}904C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000056147BE)|UNKNOWN(00000000056145AB)|UNKNOWN(000000000561320C)|UNKNOWN(0000000005611C4E)|UNKNOWN(000000000561166F)|UNKNOWN(00000000055AF8E5)|UNKNOWN(0000000005392006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000079456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:18.771{45AAC21C-FDD7-63D0-C603-00000000BA02}29207220C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000056147BE)|UNKNOWN(00000000056145AB)|UNKNOWN(000000000561320C)|UNKNOWN(0000000005611C4E)|UNKNOWN(000000000561166F)|UNKNOWN(00000000055AF8E5)|UNKNOWN(0000000005392006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000079455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:18.756{45AAC21C-FDD7-63D0-C603-00000000BA02}29207220C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED1A-63D0-3800-00000000BA02}3276C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000056147BE)|UNKNOWN(00000000056145AB)|UNKNOWN(000000000561320C)|UNKNOWN(0000000005611C4E)|UNKNOWN(000000000561166F)|UNKNOWN(00000000055AF8E5)|UNKNOWN(0000000005392006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000079454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:18.756{45AAC21C-FDD7-63D0-C603-00000000BA02}29207220C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED18-63D0-2500-00000000BA02}2484C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000056147BE)|UNKNOWN(00000000056145AB)|UNKNOWN(000000000561320C)|UNKNOWN(0000000005611C4E)|UNKNOWN(000000000561166F)|UNKNOWN(00000000055AF8E5)|UNKNOWN(0000000005392006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000079453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:18.752{45AAC21C-FDD7-63D0-C603-00000000BA02}29207220C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED19-63D0-3100-00000000BA02}3024C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000056147BE)|UNKNOWN(00000000056145AB)|UNKNOWN(000000000561320C)|UNKNOWN(0000000005611C4E)|UNKNOWN(000000000561166F)|UNKNOWN(00000000055AF8E5)|UNKNOWN(0000000005392006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000079452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:18.729{45AAC21C-FDD7-63D0-C603-00000000BA02}29207220C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000056147BE)|UNKNOWN(00000000056145AB)|UNKNOWN(000000000561320C)|UNKNOWN(0000000005611C4E)|UNKNOWN(000000000561166F)|UNKNOWN(00000000055AF8E5)|UNKNOWN(0000000005392006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000079451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:18.722{45AAC21C-FDD7-63D0-C603-00000000BA02}29207220C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED18-63D0-2E00-00000000BA02}2692C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000056147BE)|UNKNOWN(00000000056145AB)|UNKNOWN(000000000561320C)|UNKNOWN(0000000005611C4E)|UNKNOWN(000000000561166F)|UNKNOWN(00000000055AF8E5)|UNKNOWN(0000000005392006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000079450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:18.711{45AAC21C-FDD7-63D0-C603-00000000BA02}29207220C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-F993-63D0-3A03-00000000BA02}5848C:\Windows\system32\wbem\wmiprvse.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000056147BE)|UNKNOWN(00000000056145AB)|UNKNOWN(000000000561320C)|UNKNOWN(0000000005611C4E)|UNKNOWN(000000000561166F)|UNKNOWN(00000000055AF8E5)|UNKNOWN(0000000005392006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000079449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:18.705{45AAC21C-FDD7-63D0-C603-00000000BA02}29207220C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-F99C-63D0-4103-00000000BA02}4940C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000056147BE)|UNKNOWN(00000000056145AB)|UNKNOWN(000000000561320C)|UNKNOWN(0000000005611C4E)|UNKNOWN(000000000561166F)|UNKNOWN(00000000055AF8E5)|UNKNOWN(0000000005392006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000079448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:18.698{45AAC21C-FDD7-63D0-C603-00000000BA02}29207220C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED2C-63D0-7B00-00000000BA02}532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000056147BE)|UNKNOWN(00000000056145AB)|UNKNOWN(000000000561320C)|UNKNOWN(0000000005611C4E)|UNKNOWN(000000000561166F)|UNKNOWN(00000000055AF8E5)|UNKNOWN(0000000005392006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000079447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:18.679{45AAC21C-FDD7-63D0-C603-00000000BA02}29207220C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED18-63D0-2F00-00000000BA02}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000056147BE)|UNKNOWN(00000000056145AB)|UNKNOWN(000000000561320C)|UNKNOWN(0000000005611C4E)|UNKNOWN(000000000561166F)|UNKNOWN(00000000055AF8E5)|UNKNOWN(0000000005392006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000079446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:18.679{45AAC21C-FDD7-63D0-C603-00000000BA02}29207220C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED0B-63D0-1600-00000000BA02}1324C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000056147BE)|UNKNOWN(00000000056145AB)|UNKNOWN(000000000561320C)|UNKNOWN(0000000005611C4E)|UNKNOWN(000000000561166F)|UNKNOWN(00000000055AF8E5)|UNKNOWN(0000000005392006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000079445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:18.663{45AAC21C-FDD7-63D0-C603-00000000BA02}29207220C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-F990-63D0-3703-00000000BA02}5072C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000056147BE)|UNKNOWN(00000000056145AB)|UNKNOWN(000000000561320C)|UNKNOWN(0000000005611C4E)|UNKNOWN(000000000561166F)|UNKNOWN(00000000055AF8E5)|UNKNOWN(0000000005392006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000079444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:18.648{45AAC21C-FDD7-63D0-C603-00000000BA02}29207220C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-F990-63D0-3603-00000000BA02}7836C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000056147BE)|UNKNOWN(00000000056145AB)|UNKNOWN(000000000561320C)|UNKNOWN(0000000005611C4E)|UNKNOWN(000000000561166F)|UNKNOWN(00000000055AF8E5)|UNKNOWN(0000000005392006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000079443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:18.648{45AAC21C-FDD7-63D0-C603-00000000BA02}29207220C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000056147BE)|UNKNOWN(00000000056145AB)|UNKNOWN(000000000561320C)|UNKNOWN(0000000005611C4E)|UNKNOWN(000000000561166F)|UNKNOWN(00000000055AF8E5)|UNKNOWN(0000000005392006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000079442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:18.628{45AAC21C-FDD7-63D0-C603-00000000BA02}29207220C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-F98F-63D0-3303-00000000BA02}5868C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000056147BE)|UNKNOWN(00000000056145AB)|UNKNOWN(000000000561320C)|UNKNOWN(0000000005611C4E)|UNKNOWN(000000000561166F)|UNKNOWN(00000000055AF8E5)|UNKNOWN(0000000005392006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000079441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:18.611{45AAC21C-FDD7-63D0-C603-00000000BA02}29207220C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-F998-63D0-3F03-00000000BA02}6856C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000056147BE)|UNKNOWN(00000000056145AB)|UNKNOWN(000000000561320C)|UNKNOWN(0000000005611C4E)|UNKNOWN(000000000561166F)|UNKNOWN(00000000055AF8E5)|UNKNOWN(0000000005392006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000079440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:18.611{45AAC21C-FDD7-63D0-C603-00000000BA02}29207220C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED4D-63D0-8900-00000000BA02}4888C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000056147BE)|UNKNOWN(00000000056145AB)|UNKNOWN(000000000561320C)|UNKNOWN(0000000005611C4E)|UNKNOWN(000000000561166F)|UNKNOWN(00000000055AF8E5)|UNKNOWN(0000000005392006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000079439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:18.596{45AAC21C-FDD7-63D0-C603-00000000BA02}29207220C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED0A-63D0-1300-00000000BA02}364C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000056147BE)|UNKNOWN(00000000056145AB)|UNKNOWN(000000000561320C)|UNKNOWN(0000000005611C4E)|UNKNOWN(000000000561166F)|UNKNOWN(00000000055AF8E5)|UNKNOWN(0000000005392006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000079438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:18.596{45AAC21C-FDD7-63D0-C603-00000000BA02}29207220C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED93-63D0-C200-00000000BA02}5684C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000056147BE)|UNKNOWN(00000000056145AB)|UNKNOWN(000000000561320C)|UNKNOWN(0000000005611C4E)|UNKNOWN(000000000561166F)|UNKNOWN(00000000055AF8E5)|UNKNOWN(0000000005392006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000079437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:18.596{45AAC21C-FDD7-63D0-C603-00000000BA02}29207220C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-F99D-63D0-4303-00000000BA02}220C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000056147BE)|UNKNOWN(00000000056145AB)|UNKNOWN(000000000561320C)|UNKNOWN(0000000005611C4E)|UNKNOWN(000000000561166F)|UNKNOWN(00000000055AF8E5)|UNKNOWN(0000000005392006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000079436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:18.596{45AAC21C-FDD7-63D0-C603-00000000BA02}29207220C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000056147BE)|UNKNOWN(00000000056145AB)|UNKNOWN(000000000561320C)|UNKNOWN(0000000005611C4E)|UNKNOWN(000000000561166F)|UNKNOWN(00000000055AF8E5)|UNKNOWN(0000000005392006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000079435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:18.580{45AAC21C-FDD7-63D0-C603-00000000BA02}29207220C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED14-63D0-2300-00000000BA02}2340C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000056147BE)|UNKNOWN(00000000056145AB)|UNKNOWN(000000000561320C)|UNKNOWN(0000000005611C4E)|UNKNOWN(000000000561166F)|UNKNOWN(00000000055AF8E5)|UNKNOWN(0000000005392006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000079434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:18.565{45AAC21C-FDD7-63D0-C603-00000000BA02}29207220C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED08-63D0-0900-00000000BA02}576C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000056147BE)|UNKNOWN(00000000056145AB)|UNKNOWN(000000000561320C)|UNKNOWN(0000000005611C4E)|UNKNOWN(000000000561166F)|UNKNOWN(00000000055AF8E5)|UNKNOWN(0000000005392006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000079433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:18.565{45AAC21C-FDD7-63D0-C603-00000000BA02}29207220C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED1A-63D0-4100-00000000BA02}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000056147BE)|UNKNOWN(00000000056145AB)|UNKNOWN(000000000561320C)|UNKNOWN(0000000005611C4E)|UNKNOWN(000000000561166F)|UNKNOWN(00000000055AF8E5)|UNKNOWN(0000000005392006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000079432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:18.561{45AAC21C-FDD7-63D0-C603-00000000BA02}29207220C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-F99E-63D0-4403-00000000BA02}4716C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000056147BE)|UNKNOWN(00000000056145AB)|UNKNOWN(000000000561320C)|UNKNOWN(0000000005611C4E)|UNKNOWN(000000000561166F)|UNKNOWN(00000000055AF8E5)|UNKNOWN(0000000005392006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 23542300x800000000000000079431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:18.528{45AAC21C-ED18-63D0-2C00-00000000BA02}2672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:18.478{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000079429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:18.478{45AAC21C-ED08-63D0-0B00-00000000BA02}6367276C:\Windows\system32\lsass.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:18.463{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000079427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:18.463{45AAC21C-F6CE-63D0-DF02-00000000BA02}3684380C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 354300x800000000000000079426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:15.825{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49479-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000079493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:19.849{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FA5961303BFCB69D41EE4707B0C998E,SHA256=EDEA589EDE8AAD4746D551C628EB3051E1C7A752060C2EFC8AAA237ACDC45310,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:19.519{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E69CB17865F20465E744143AF59CD468,SHA256=B2E49B30614DFDEC83DB6E957A4D563EFFC39915921A2DCF3D068E1CF38F8301,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:19.179{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF32718A864AD22E9CF3E845F587EADD,SHA256=E09C74AEA7ADB968A23E0A0FA4599ADA06407E5A8476C735267E58166F7228A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:19.107{45AAC21C-FDD7-63D0-C603-00000000BA02}29207220C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-F98E-63D0-3203-00000000BA02}1380C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000056147BE)|UNKNOWN(00000000056145AB)|UNKNOWN(000000000561320C)|UNKNOWN(0000000005611C4E)|UNKNOWN(000000000561166F)|UNKNOWN(00000000055AF8E5)|UNKNOWN(0000000005392006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000079490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:19.088{45AAC21C-FDD7-63D0-C603-00000000BA02}29207220C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-F532-63D0-A102-00000000BA02}7492C:\Program Files\Far Manager\Far.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000056147BE)|UNKNOWN(00000000056145AB)|UNKNOWN(000000000561320C)|UNKNOWN(0000000005611C4E)|UNKNOWN(000000000561166F)|UNKNOWN(00000000055AF8E5)|UNKNOWN(0000000005392006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000079489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:19.073{45AAC21C-FDD7-63D0-C603-00000000BA02}29207220C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-F532-63D0-A202-00000000BA02}5720C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000056147BE)|UNKNOWN(00000000056145AB)|UNKNOWN(000000000561320C)|UNKNOWN(0000000005611C4E)|UNKNOWN(000000000561166F)|UNKNOWN(00000000055AF8E5)|UNKNOWN(0000000005392006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000079488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:19.073{45AAC21C-FDD7-63D0-C603-00000000BA02}29207220C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED0A-63D0-1200-00000000BA02}408C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000056147BE)|UNKNOWN(00000000056145AB)|UNKNOWN(000000000561320C)|UNKNOWN(0000000005611C4E)|UNKNOWN(000000000561166F)|UNKNOWN(00000000055AF8E5)|UNKNOWN(0000000005392006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000079487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:19.073{45AAC21C-FDD7-63D0-C603-00000000BA02}29207220C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED18-63D0-2700-00000000BA02}2576C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000056147BE)|UNKNOWN(00000000056145AB)|UNKNOWN(000000000561320C)|UNKNOWN(0000000005611C4E)|UNKNOWN(000000000561166F)|UNKNOWN(00000000055AF8E5)|UNKNOWN(0000000005392006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000079486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:19.071{45AAC21C-FDD7-63D0-C603-00000000BA02}29207220C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-F98E-63D0-3103-00000000BA02}7700C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000056147BE)|UNKNOWN(00000000056145AB)|UNKNOWN(000000000561320C)|UNKNOWN(0000000005611C4E)|UNKNOWN(000000000561166F)|UNKNOWN(00000000055AF8E5)|UNKNOWN(0000000005392006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000079485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:19.066{45AAC21C-FDD7-63D0-C603-00000000BA02}29207220C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED0B-63D0-1800-00000000BA02}1992C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000056147BE)|UNKNOWN(00000000056145AB)|UNKNOWN(000000000561320C)|UNKNOWN(0000000005611C4E)|UNKNOWN(000000000561166F)|UNKNOWN(00000000055AF8E5)|UNKNOWN(0000000005392006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000079484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:19.060{45AAC21C-FDD7-63D0-C603-00000000BA02}29207220C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000056147BE)|UNKNOWN(00000000056145AB)|UNKNOWN(000000000561320C)|UNKNOWN(0000000005611C4E)|UNKNOWN(000000000561166F)|UNKNOWN(00000000055AF8E5)|UNKNOWN(0000000005392006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000079483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:19.040{45AAC21C-FDD7-63D0-C603-00000000BA02}29207220C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-F98F-63D0-3403-00000000BA02}8152C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000056147BE)|UNKNOWN(00000000056145AB)|UNKNOWN(000000000561320C)|UNKNOWN(0000000005611C4E)|UNKNOWN(000000000561166F)|UNKNOWN(00000000055AF8E5)|UNKNOWN(0000000005392006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000079482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:19.036{45AAC21C-FDD7-63D0-C603-00000000BA02}29207220C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-F3FF-63D0-5202-00000000BA02}7716C:\Program Files\Process Hacker 2\ProcessHacker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000056147BE)|UNKNOWN(00000000056145AB)|UNKNOWN(000000000561320C)|UNKNOWN(0000000005611C4E)|UNKNOWN(000000000561166F)|UNKNOWN(00000000055AF8E5)|UNKNOWN(0000000005392006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 23542300x800000000000000079481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:19.029{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77AF0F82B6C9E8B5A3DAF94C354F8DD8,SHA256=090AC86A954A46974EBCD1B675F87B0B0284705EC4B276BEB47E18868F3CCB9C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:19.027{45AAC21C-FDD7-63D0-C603-00000000BA02}29207220C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000056147BE)|UNKNOWN(00000000056145AB)|UNKNOWN(000000000561320C)|UNKNOWN(0000000005611C4E)|UNKNOWN(000000000561166F)|UNKNOWN(00000000055AF8E5)|UNKNOWN(0000000005392006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000079479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:18.994{45AAC21C-FDD7-63D0-C603-00000000BA02}29207220C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED4E-63D0-8E00-00000000BA02}432C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000056147BE)|UNKNOWN(00000000056145AB)|UNKNOWN(000000000561320C)|UNKNOWN(0000000005611C4E)|UNKNOWN(000000000561166F)|UNKNOWN(00000000055AF8E5)|UNKNOWN(0000000005392006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000079502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:20.992{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0F00-00000000BA02}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000079501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:20.975{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0E00-00000000BA02}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000079500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:20.951{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0D00-00000000BA02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000079499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:20.929{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0C00-00000000BA02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 23542300x800000000000000079498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:20.909{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FCAF83881B4A6879981C4639ECF84D7,SHA256=A4B357AE0E751565E2AEAF66C1B38737ECCA883470D0470B780E808B74DBFDCF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:20.996{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1600-00000000BB02}1192C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:20.976{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1500-00000000BB02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:20.969{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1400-00000000BB02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:20.964{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1300-00000000BB02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:20.958{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1200-00000000BB02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:20.951{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1100-00000000BB02}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:20.945{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1000-00000000BB02}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:20.939{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0F00-00000000BB02}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:20.931{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0E00-00000000BB02}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:20.925{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0D00-00000000BB02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:20.918{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:20.907{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0B00-00000000BB02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:20.905{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0900-00000000BB02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 23542300x800000000000000036312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:20.611{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B92ED7A4C439D2E7A5A05B85A972749,SHA256=B024E14C48E4100B1FA917D51AF014B85BC14590370FCC0EB0EC75A060922693,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:20.830{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000079496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:20.825{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0900-00000000BA02}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 354300x800000000000000079495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:18.143{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49480-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000079494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:20.281{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=33FB33A53ABB4E7A8299A348118B3071,SHA256=DAF3E2813FEFBF81F480FB944BF0A6C8009966DE060D2F5CF809DBFE6CA3C74A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:17.093{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50559-false10.0.1.12-8000- 23542300x800000000000000036342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:21.960{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BB4CD81F94FEEF6451CD74C9E415351,SHA256=E289585EE19C6944CD1358709CE2D01B99FA46DBD2D097C7C5AF7707651A56BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:21.891{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2E00-00000000BA02}2692C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000079520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:21.888{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000079519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:21.884{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2B00-00000000BA02}2664C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000079518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:21.207{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000079517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:21.196{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000079516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:21.177{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000079515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:21.150{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2700-00000000BA02}2576C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000079514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:21.145{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2600-00000000BA02}2568C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000079513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:21.137{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2500-00000000BA02}2484C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000079512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:21.130{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED14-63D0-2300-00000000BA02}2340C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000079511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:21.128{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1800-00000000BA02}1992C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000079510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:21.117{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1700-00000000BA02}1492C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000079509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:21.107{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1600-00000000BA02}1324C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000079508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:21.090{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1500-00000000BA02}1152C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000079507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:21.084{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1400-00000000BA02}344C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000079506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:21.076{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1300-00000000BA02}364C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000079505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:21.067{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1200-00000000BA02}408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000079504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:21.058{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1100-00000000BA02}704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000079503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:21.019{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1000-00000000BA02}444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000036341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:21.052{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FB5F-63D0-3102-00000000BB02}3068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:21.049{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED83-63D0-8200-00000000BB02}508C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:21.047{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED1B-63D0-6D00-00000000BB02}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:21.045{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:21.044{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-4000-00000000BB02}1980C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:21.042{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-3C00-00000000BB02}2964C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:21.042{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2B00-00000000BB02}2876C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:21.040{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2600-00000000BB02}2596C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:21.039{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2500-00000000BB02}2436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:21.036{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2200-00000000BB02}1172C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:21.033{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:21.024{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:21.022{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1C00-00000000BB02}1892C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:21.020{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1A00-00000000BB02}1856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:21.014{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1800-00000000BB02}1732C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:21.012{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1700-00000000BB02}1240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 23542300x800000000000000079522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:22.032{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F46D4E5DEB8030DE91A5A2EBA1247EB1,SHA256=1A74F2672AD8C00FBD18CC7A5F577A20B4FDEE2E79510FA278E17B9990B083FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:23.924{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3300-00000000BA02}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000079526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:23.920{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3100-00000000BA02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000079525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:23.916{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2F00-00000000BA02}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 354300x800000000000000079524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:21.684{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49481-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000079523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:23.117{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07A7A823D383DED51C06C0448B85C968,SHA256=9377794C3DC2F675D03C1A2424E9AB906EAC50FEA90A9D0FBA67532A09FDAFEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:23.232{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED08-63D0-0B00-00000000BB02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:23.232{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED08-63D0-0B00-00000000BB02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:23.232{72106695-ED08-63D0-0B00-00000000BB02}6243468C:\Windows\system32\lsass.exe{72106695-ED08-63D0-1500-00000000BB02}108C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:23.219{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1F00-00000000BB02}2000C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000036343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:23.091{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=723B5596916A0088D19529E529B0869F,SHA256=5BC810A8798906E78C73A3B687DAAEF34137EBF1AB5F9CE3EA86F3021DF82702,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:24.763{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000079558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:24.756{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99E-63D0-4403-00000000BA02}4716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000079557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:24.752{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4303-00000000BA02}220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000079556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:24.749{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4203-00000000BA02}8108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000079555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:24.746{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99C-63D0-4103-00000000BA02}4940C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000079554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:24.742{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F998-63D0-3F03-00000000BA02}6856C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000079553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:24.739{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F993-63D0-3A03-00000000BA02}5848C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000079552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:24.734{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F990-63D0-3703-00000000BA02}5072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000079551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:24.724{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F990-63D0-3603-00000000BA02}7836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000079550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:24.718{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3403-00000000BA02}8152C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000079549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:24.715{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3303-00000000BA02}5868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000079548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:24.713{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3203-00000000BA02}1380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000079547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:24.696{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3103-00000000BA02}7700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000079546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:24.657{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000079545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:24.634{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000079544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:24.629{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A202-00000000BA02}5720C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000079543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:24.626{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A102-00000000BA02}7492C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000079542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:24.621{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F3FF-63D0-5202-00000000BA02}7716C:\Program Files\Process Hacker 2\ProcessHacker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000079541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:24.618{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED93-63D0-C200-00000000BA02}5684C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000079540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:24.572{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000079539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:24.537{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000079538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:24.498{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000079537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:24.481{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-8E00-00000000BA02}432C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000079536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:24.467{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4D-63D0-8900-00000000BA02}4888C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000079535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:24.458{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED36-63D0-8100-00000000BA02}4176C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000079534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:24.452{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED35-63D0-7F00-00000000BA02}3432C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000079533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:24.449{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED2C-63D0-7B00-00000000BA02}532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000079532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:24.442{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000079531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:24.439{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1B-63D0-4500-00000000BA02}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000079530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:24.436{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-4100-00000000BA02}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000079529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:24.434{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-3800-00000000BA02}3276C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 23542300x800000000000000079528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:24.171{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60B4A54BD340E393FADC9862BF9E268B,SHA256=55392BF1F5A93918FC437F4599B55FF9DD7C46CCC9337C3892FFE24FF4F24262,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:24.189{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=910055BD1E4CC3A1FA554D43AE979B19,SHA256=82532ABDF98B88933FB384ACA19037D5D32FE8230B6B35043E5907E5A1126A5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:25.688{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8314B9B3A343CDC8605D68EAD28A230E,SHA256=4F751281AF43B956FC689D62D9F193A0F96A909F2DC2244354354F52ACFC2C41,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:22.960{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50560-false10.0.1.12-8000- 23542300x800000000000000036349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:25.295{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=265A69D3110FC0DE1DD99FEDAACEDA59,SHA256=0B495D05C566412A83CCF97BB59EBAB2959FD1C386247B94E06117D72B2F493D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:26.953{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FDF6-63D0-8002-00000000BB02}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:26.953{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:26.953{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:26.953{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:26.953{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:26.953{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:26.953{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:26.953{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:26.953{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:26.953{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:26.953{72106695-ED07-63D0-0500-00000000BB02}4081028C:\Windows\system32\csrss.exe{72106695-FDF6-63D0-8002-00000000BB02}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:26.953{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FDF6-63D0-8002-00000000BB02}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:26.954{72106695-FDF6-63D0-8002-00000000BB02}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:26.781{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=AD01AF511FB0B8AB6049BBAA3A3FF20C,SHA256=B6F9BD5D4C3DD36286768DBC475DF4D3752C3A168D172FACAD802A0413352B98,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:26.689{72106695-ED09-63D0-1F00-00000000BB02}20002816C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FDF6-63D0-7F02-00000000BB02}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D383D0) 10341000x800000000000000036370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:26.689{72106695-ED09-63D0-1F00-00000000BB02}20002816C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FDF6-63D0-7F02-00000000BB02}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D383D0) 10341000x800000000000000036369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:26.689{72106695-ED09-63D0-1F00-00000000BB02}20002816C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FDF6-63D0-7F02-00000000BB02}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D383D0) 10341000x800000000000000036368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:26.689{72106695-ED09-63D0-1F00-00000000BB02}20002816C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FDF6-63D0-7F02-00000000BB02}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D383D0) 10341000x800000000000000036367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:26.689{72106695-ED09-63D0-1F00-00000000BB02}20002816C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FDF6-63D0-7F02-00000000BB02}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D383D0) 10341000x800000000000000036366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:26.689{72106695-ED09-63D0-1F00-00000000BB02}20002816C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FDF6-63D0-7F02-00000000BB02}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D383D0) 10341000x800000000000000036365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:26.447{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FDF6-63D0-7F02-00000000BB02}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:26.447{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:26.447{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:26.447{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:26.447{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:26.447{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:26.447{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:26.447{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:26.447{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:26.447{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:26.447{72106695-ED07-63D0-0500-00000000BB02}4081028C:\Windows\system32\csrss.exe{72106695-FDF6-63D0-7F02-00000000BB02}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:26.447{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FDF6-63D0-7F02-00000000BB02}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:26.449{72106695-FDF6-63D0-7F02-00000000BB02}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:26.385{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D0B9598E32D285AC4B5BFC92DA5636C,SHA256=BE152EB9F3DFF1C8AD96CA95C6E5FC0DD56448FD5A0750C56F771731C9651DC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:26.773{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E10CBD7BAFF623F8B5EB6A42B3905AD,SHA256=8A2D2212AFBD8B7EDA2C49F70920F0135A0E1C049D3F47A0E06FC6AD602D8FCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:26.291{72106695-ED09-63D0-2000-00000000BB02}2008NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:27.840{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F7E9FFDD1304DA0B6E0772FCED2957A,SHA256=023ED04AA72E8A651DB2206B55CDD055490C9D97396CC886CA493D84AC946CF3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:25.172{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50561-false10.0.1.12-8089- 10341000x800000000000000036403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:27.729{72106695-ED09-63D0-1F00-00000000BB02}20002816C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FDF7-63D0-8102-00000000BB02}2616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D383D0) 10341000x800000000000000036402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:27.729{72106695-ED09-63D0-1F00-00000000BB02}20002816C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FDF7-63D0-8102-00000000BB02}2616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D383D0) 10341000x800000000000000036401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:27.729{72106695-ED09-63D0-1F00-00000000BB02}20002816C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FDF7-63D0-8102-00000000BB02}2616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D383D0) 10341000x800000000000000036400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:27.631{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FDF7-63D0-8102-00000000BB02}2616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:27.631{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:27.631{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:27.631{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:27.631{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:27.631{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:27.631{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:27.631{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:27.631{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:27.631{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:27.631{72106695-ED07-63D0-0500-00000000BB02}4081028C:\Windows\system32\csrss.exe{72106695-FDF7-63D0-8102-00000000BB02}2616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:27.631{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FDF7-63D0-8102-00000000BB02}2616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:27.632{72106695-FDF7-63D0-8102-00000000BB02}2616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:27.472{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A3E0657512E102EA0C27D1E8C3FC603,SHA256=BD697934541648A649DA5226394EA3135E8FBE5B506C6C2DCE35118914C3E6B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:27.125{72106695-FDF6-63D0-8002-00000000BB02}40923864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:27.439{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:27.438{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000079566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:28.909{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8902ABD63727D73F014A1EEABBEC37D7,SHA256=46004B826057813FDE34D082219BCD4C9DB30344E6F02499971ABBB9D746F80A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:28.867{72106695-FDF8-63D0-8202-00000000BB02}39042700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:28.701{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FDF8-63D0-8202-00000000BB02}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:28.699{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:28.699{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:28.699{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:28.699{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:28.699{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:28.699{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:28.699{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:28.698{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:28.698{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:28.698{72106695-ED07-63D0-0500-00000000BB02}4081028C:\Windows\system32\csrss.exe{72106695-FDF8-63D0-8202-00000000BB02}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:28.698{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FDF8-63D0-8202-00000000BB02}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:28.698{72106695-FDF8-63D0-8202-00000000BB02}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:28.587{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABFBC6B9D2AB615B1C8B332EEB2263DD,SHA256=68D39A1CE98D8F69D480CF9BB5601803CF76BCCC4462715688D4F4750EB8874A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:28.587{72106695-ED09-63D0-2000-00000000BB02}2008NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=4D3C42666A8BC8C770F063200D92872F,SHA256=685484D51A65E9471D6CFA9D3C4A3096278ACFBEC602720CE5B2400659692B55,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000079565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:26.691{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49482-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000036405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:28.091{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=158BAA66A669CBA01833294BDC4EBA2D,SHA256=AF8473C769EBBA44C172E1EEB5D6BF46977D875C8667BEDC42DB6EA8502B1233,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:29.962{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEA31FCA949BAF481CAEBE2EFEE98482,SHA256=AE9E64789104BA32ED57B793284E14C12F1CD34919FAE7097A77CB2906761798,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:29.693{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B4FC692F68934740DDEA43B066C83A2,SHA256=71A607D80A1A74242733D1D0CC7192A4FEDDB164401602ACC7E390F2F902FC58,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:30.834{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FDFA-63D0-8402-00000000BB02}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:30.834{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:30.834{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:30.834{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:30.834{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:30.834{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:30.834{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:30.834{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:30.834{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:30.834{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:30.834{72106695-ED07-63D0-0500-00000000BB02}4082644C:\Windows\system32\csrss.exe{72106695-FDFA-63D0-8402-00000000BB02}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:30.834{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FDFA-63D0-8402-00000000BB02}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:30.835{72106695-FDFA-63D0-8402-00000000BB02}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:30.787{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D3C2B1F6EB3280FEE2279FB61736E5E,SHA256=7B10D67AFA6A85DC27DF11A94F23FC139F94DE3ED813CE7E514D540DBD165935,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:30.350{72106695-FDFA-63D0-8302-00000000BB02}24604000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:30.178{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FDFA-63D0-8302-00000000BB02}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:30.178{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:30.178{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:30.178{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:30.178{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:30.178{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:30.178{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:30.178{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:30.178{72106695-ED07-63D0-0500-00000000BB02}4082644C:\Windows\system32\csrss.exe{72106695-FDFA-63D0-8302-00000000BB02}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:30.178{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:30.178{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:30.178{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FDFA-63D0-8302-00000000BB02}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:30.179{72106695-FDFA-63D0-8302-00000000BB02}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:31.858{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94F82A120B03393DAA9E5C7BDF8372EF,SHA256=960384A81704CA0C74EB923ECBF66B8DF61B1A59503A89EDADD28C1BD03896C8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:31.322{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:31.322{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:31.322{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-ED08-63D0-0A00-00000000BA02}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000079568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:30.998{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F369929E9CC918667FE5EEEDFFE6743C,SHA256=1F7342503618C354B1019DB2A07B67461EF1FFABF7DBC496E0FFE522EA00A44A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:28.107{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50562-false10.0.1.12-8000- 10341000x800000000000000036451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:31.053{72106695-FDFA-63D0-8402-00000000BB02}30803644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000036467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:32.953{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C18F5C756B8F72096424A5C9480E1A63,SHA256=3C8C5B6D15D93E2F5DD48F5D2AD82ACC1BBB1E76440E6F46DBB3EC42963C028C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:32.890{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FDFC-63D0-8502-00000000BB02}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:32.890{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:32.890{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:32.890{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:32.890{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:32.890{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:32.890{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:32.890{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:32.890{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:32.890{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:32.890{72106695-ED07-63D0-0500-00000000BB02}4081028C:\Windows\system32\csrss.exe{72106695-FDFC-63D0-8502-00000000BB02}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:32.890{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FDFC-63D0-8502-00000000BB02}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:32.891{72106695-FDFC-63D0-8502-00000000BB02}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000079576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:32.367{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED0B-63D0-1600-00000000BA02}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:32.367{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED0B-63D0-1600-00000000BA02}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:32.367{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED0B-63D0-1600-00000000BA02}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000079573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:32.324{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=318FB1EF66CCF89D20886856B04CCA9A,SHA256=57E00CC2D2497552194474ED893E1752D404C7D19592A5AC9D8FB1547A55083B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:32.050{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3B0E9C76E2F657CA550EA45A0F8388B,SHA256=C1FF89A37E24DC64C9082886FAA6CE89D8769D4EAB4D41D510EF73C1175501F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:33.947{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C863FBA3B7F1518F9AD9135287F94188,SHA256=56E08B9BE566B3605ADC6B8E0BE46195437A6BD03B97495AEF75FF6FDA9DFA38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:33.821{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ilosieif.default-release\datareporting\glean\db\data.safe.binMD5=C304146F06D5A52628A7DBAC1C9578DD,SHA256=FAB7F1B91114872B495FEE0F90C11215890EF555C89E30F07AF469E9DA35E596,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000079578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:30.968{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local55714- 23542300x800000000000000079577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:33.089{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B59F9C5FD165A8B3ECB7C565EBCB1F0A,SHA256=2F19B7131FD22BBD33FB907491CBB3BA1CBDE5D23EEBB30ADE6BA95E1F613AB9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000079582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:31.699{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49484-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000079581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:30.990{45AAC21C-ED0A-63D0-1500-00000000BA02}1152C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49483-false8.240.198.254-80http 23542300x800000000000000079580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:34.156{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FF11A2D90F264D8C705BB91DF6A847A,SHA256=3DBE18611A06CFF5982EBEAC613D9BF3A64E5B49E2FBEB64C24C94D2D5B202CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:34.150{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F674B0E36D4F40C36CD60220E7EE41FB,SHA256=2F60BE4436453D4045C7D853D48FE5A8D316EAFE18AE1131C36DDB447D046A90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:35.225{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8391752D63D80F5047203885890D04A,SHA256=C8F232C19F5A3E33CAC11CD9B2775D258C04BDB98E11DC31DBE4B6DF3574A7AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:35.050{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F2022F414B13874F4FFF72424163FA0,SHA256=4A9478B82C2A0BB0CF8B667EEFC5A413530A7217A57507B19534FAA5F120DC64,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000079585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:33.986{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local52051- 23542300x800000000000000079584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:36.262{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDDF606ACCEC78041111DCF18B108C74,SHA256=82FCFA32E67FD893C913DBFAB772CDFE21BB1EF7C0489FFDCFC2D359B63B22DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:33.927{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50563-false10.0.1.12-8000- 23542300x800000000000000036471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:36.118{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0F2990D827FC99D150F84CE8252ED22,SHA256=FD9DC3D0D575CE33A154E3F7F41D6D90EC4E41C47692BB16BE0B597255B55B78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:37.209{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E420B324E026C6EAE72431489999315,SHA256=81C31377E785FD23EFC26C6340058FB7E5785D9E2291E40C85E53EC2775BBD7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:37.380{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1439AC302133D84633E2200DB3F6B46,SHA256=BB9592729F431D37528E61EB3C47D52A7365B2AB3536E5AD757AAFF4C09BF221,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:38.318{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73F5B857408F4F63BCE824AB6B834D92,SHA256=BF10272239ECB39AA47A01E222B947313ACFAAED9DDCE0CE052A5D4A45022E11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:38.416{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B62C53A08F02C9991A394DC618FD44CE,SHA256=CAAD0CB253BE6DCFC6EA344111E685F387AF0F7464D6DEA4FDEC090189863767,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:39.427{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=036474151DB498FAAC2CCE445DEAF5FA,SHA256=22827631E1D8CD0C7B3D5CE191898C46BD925B7556D30F234FF13FC85594359F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:39.633{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ilosieif.default-release\datareporting\glean\db\data.safe.binMD5=72EF3185FD871933ACDA5ABD22317CF5,SHA256=7859F7D5AB90847ADBC3885E6380D6F4FD24D7533DF8B2AB9698CA96E06F10B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:39.502{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A584E3ECD7909BB9E3F2AE5E8399717E,SHA256=BE2C1DB81E68E577D95F19710B4FC97C0A38E96DD14437000AD0BB96B6171EC4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000079588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:37.665{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49485-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000036494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:40.990{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:40.987{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1C00-00000000BB02}1892C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:40.986{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1A00-00000000BB02}1856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:40.980{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1800-00000000BB02}1732C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:40.978{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1700-00000000BB02}1240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:40.967{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1600-00000000BB02}1192C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:40.946{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1500-00000000BB02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:40.939{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1400-00000000BB02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:40.934{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1300-00000000BB02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:40.929{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1200-00000000BB02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:40.922{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1100-00000000BB02}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:40.918{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1000-00000000BB02}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:40.910{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0F00-00000000BB02}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:40.902{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0E00-00000000BB02}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:40.895{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0D00-00000000BB02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:40.889{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:40.882{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0B00-00000000BB02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:40.880{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0900-00000000BB02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 23542300x800000000000000036476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:40.512{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE156C70899C619A5B34ECC0ABC300AE,SHA256=D4D1CF0C06E11DCDDA2DF24C74E7587797CCD0A97FB0734704B66718516FB20E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:40.970{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1000-00000000BA02}444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:40.939{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0F00-00000000BA02}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:40.926{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0E00-00000000BA02}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:40.890{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0D00-00000000BA02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:40.881{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0C00-00000000BA02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:40.817{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000079592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:40.812{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0900-00000000BA02}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 23542300x800000000000000079591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:40.551{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7505750E361BB9D31F09BC31E629E575,SHA256=5AF725AA37FD46DB778AB2407C7D8B02D0238624356934B78C4806E60500BADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:41.954{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86E872FE10E1E800DEE9EC301BBF1503,SHA256=B8EBDF50286061108A6A70E20DD1E32F403792F6691E649416B91014F62E4CD7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:41.816{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2E00-00000000BA02}2692C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:41.810{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:41.804{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2B00-00000000BA02}2664C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 23542300x800000000000000079614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:41.588{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E76CC2A484D14F50AEB42D10A96721D,SHA256=EE53760B1A534E8EAA98D08EEF306ECC5EAA389612685EC78CEA307C2541A569,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:41.023{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FB5F-63D0-3102-00000000BB02}3068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:41.021{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED83-63D0-8200-00000000BB02}508C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:41.018{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED1B-63D0-6D00-00000000BB02}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:41.010{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:41.009{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-4000-00000000BB02}1980C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:41.007{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-3C00-00000000BB02}2964C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:41.007{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2B00-00000000BB02}2876C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:41.005{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2600-00000000BB02}2596C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:41.004{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2500-00000000BB02}2436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:41.002{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2200-00000000BB02}1172C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:40.999{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000079613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:41.165{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:41.159{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:41.150{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:41.139{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2700-00000000BA02}2576C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:41.138{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2600-00000000BA02}2568C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:41.127{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2500-00000000BA02}2484C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:41.121{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED14-63D0-2300-00000000BA02}2340C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:41.113{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1800-00000000BA02}1992C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:41.104{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1700-00000000BA02}1492C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:41.095{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1600-00000000BA02}1324C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:41.072{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1500-00000000BA02}1152C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:41.065{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1400-00000000BA02}344C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:41.054{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1300-00000000BA02}364C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:41.035{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1200-00000000BA02}408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:41.023{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1100-00000000BA02}704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:42.740{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FE06-63D0-C703-00000000BA02}7420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:42.740{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:42.740{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:42.740{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:42.740{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:42.740{45AAC21C-ED08-63D0-0500-00000000BA02}420788C:\Windows\system32\csrss.exe{45AAC21C-FE06-63D0-C703-00000000BA02}7420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000079620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:42.740{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FE06-63D0-C703-00000000BA02}7420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000079619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:42.741{45AAC21C-FE06-63D0-C703-00000000BA02}7420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000079618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:42.638{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69AC44E7F90B97EAD11E3BF3168E270A,SHA256=E7B16A9FE00F52A7B99247986281019AA361B26FA0FE62013100F5998C40E806,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:39.029{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50564-false10.0.1.12-8000- 10341000x800000000000000079644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:43.833{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3300-00000000BA02}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:43.831{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3100-00000000BA02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 23542300x800000000000000079642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:43.829{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=621D2341D28BF5FE4361DE4FBADE8A78,SHA256=C7311CB62A803324A469A4DC24871B16A1D2327DEFFD6ACE93E8CDB97F3A875C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:43.827{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2F00-00000000BA02}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 23542300x800000000000000079640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:43.704{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00520FF098AA33668261DC6CED242EE0,SHA256=A2710B6BC9206976F79AD139217C831A12FF255B2BEF76E643E439F54D42A3C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:43.685{45AAC21C-FE07-63D0-C803-00000000BA02}61367244C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000036508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:43.133{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72BC7F5DCBB0DA7D19DAE2B336E4F046,SHA256=98F1B638D4425FA90A55335E715696D8D86D8D1862181154E06B375C6F827793,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:43.630{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:43.630{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:43.629{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-ED0A-63D0-1000-00000000BA02}444C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:43.602{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED5C-63D0-A400-00000000BA02}5320C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:43.413{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FE07-63D0-C803-00000000BA02}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:43.409{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:43.409{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:43.409{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:43.408{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:43.408{45AAC21C-ED08-63D0-0500-00000000BA02}420780C:\Windows\system32\csrss.exe{45AAC21C-FE07-63D0-C803-00000000BA02}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000079628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:43.408{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FE07-63D0-C803-00000000BA02}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000079627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:43.407{45AAC21C-FE07-63D0-C803-00000000BA02}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000079687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:44.894{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9848C866DAE01675219035F8AC5E1669,SHA256=CA9EB14874FFC2CEE238BFCADE531529BF646F8B0B2A06FFFBDE534510736F4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:44.232{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93EDF1D6CAF78ED4160E6B888DF55949,SHA256=E48E27F9FF11617346D3B4D6C0D86A85C2B0EC867DF9A8C07CE40DD27E3C0B71,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:44.596{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000079685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:44.587{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99E-63D0-4403-00000000BA02}4716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000079684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:44.580{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4303-00000000BA02}220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000079683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:44.578{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4203-00000000BA02}8108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000079682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:44.575{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99C-63D0-4103-00000000BA02}4940C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000079681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:44.571{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F998-63D0-3F03-00000000BA02}6856C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000079680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:44.569{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F993-63D0-3A03-00000000BA02}5848C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000079679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:44.565{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F990-63D0-3703-00000000BA02}5072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000079678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:44.560{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F990-63D0-3603-00000000BA02}7836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000079677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:44.556{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3403-00000000BA02}8152C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000079676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:44.553{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3303-00000000BA02}5868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000079675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:44.551{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3203-00000000BA02}1380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000079674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:44.541{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3103-00000000BA02}7700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000079673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:44.503{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 23542300x800000000000000079672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:44.500{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B0E569D63029D2DFDF7E172D368D1EAD,SHA256=F4491A2A5620905A665FB1EE50FE583E18A44C2DB0ECC83A8A2AE5CFE302AB6F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000079671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:42.778{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49486-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000079670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:44.484{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000079669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:44.483{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A202-00000000BA02}5720C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000079668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:44.481{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A102-00000000BA02}7492C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000079667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:44.477{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F3FF-63D0-5202-00000000BA02}7716C:\Program Files\Process Hacker 2\ProcessHacker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000079666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:44.474{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED93-63D0-C200-00000000BA02}5684C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000079665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:44.442{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000079664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:44.427{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:44.399{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:44.390{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-8E00-00000000BA02}432C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:44.368{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4D-63D0-8900-00000000BA02}4888C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:44.361{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED36-63D0-8100-00000000BA02}4176C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:44.359{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED35-63D0-7F00-00000000BA02}3432C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:44.353{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED2C-63D0-7B00-00000000BA02}532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:44.345{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:44.344{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1B-63D0-4500-00000000BA02}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:44.341{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-4100-00000000BA02}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:44.340{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-3800-00000000BA02}3276C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000079653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:44.204{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FE08-63D0-C903-00000000BA02}7224C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:44.203{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:44.202{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:44.202{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:44.202{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:44.200{45AAC21C-ED08-63D0-0500-00000000BA02}420788C:\Windows\system32\csrss.exe{45AAC21C-FE08-63D0-C903-00000000BA02}7224C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000079647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:44.200{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FE08-63D0-C903-00000000BA02}7224C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000079646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:44.201{45AAC21C-FE08-63D0-C903-00000000BA02}7224C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000079645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:44.112{45AAC21C-ED18-63D0-2C00-00000000BA02}2672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=5CA622682C88918071E51DAACA269509,SHA256=83C61E8ED6584FD0ED104A113A3514EC79DBD7DA7480BC60142E5CA6AED7DF49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:45.946{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E1D6BD75FD3442F6841449660E639FC,SHA256=92A224A9B1A6D1EECCD0889E8C80519ABFD79A1944E988956DF5058098AA06B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:45.337{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FDA16532EC064C4F7A4EAF57E589C46,SHA256=BF51352AD8779779ECB6E51C4B931C093F6EF8C40228A6D98602B2D18F0081E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000079689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:43.708{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local49487-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x800000000000000079688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:43.708{45AAC21C-ED18-63D0-2700-00000000BA02}2576C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local49487-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x800000000000000036512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:44.139{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50565-false10.0.1.12-8000- 23542300x800000000000000036511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:46.533{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9935BD4D946F3E6A4D15A30DC4766414,SHA256=044EF9603785FA1A755EFBAACF8164EA2E4624F790021AE8395BA997BF674DD4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:46.491{45AAC21C-FE0A-63D0-CA03-00000000BA02}71047704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:46.450{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE0A-63D0-CA03-00000000BA02}7104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000079705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:46.450{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE0A-63D0-CA03-00000000BA02}7104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000079704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:46.450{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE0A-63D0-CA03-00000000BA02}7104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000079703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:46.448{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE0A-63D0-CA03-00000000BA02}7104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000079702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:46.448{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE0A-63D0-CA03-00000000BA02}7104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000079701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:46.448{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE0A-63D0-CA03-00000000BA02}7104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000079700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:46.246{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FE0A-63D0-CA03-00000000BA02}7104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:46.246{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:46.246{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:46.246{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:46.246{45AAC21C-ED08-63D0-0500-00000000BA02}420436C:\Windows\system32\csrss.exe{45AAC21C-FE0A-63D0-CA03-00000000BA02}7104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000079695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:46.246{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:46.246{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FE0A-63D0-CA03-00000000BA02}7104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000079693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:46.247{45AAC21C-FE0A-63D0-CA03-00000000BA02}7104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000079692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:46.062{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:46.062{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000036513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:47.625{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2519F6D2CBDFD9E186D3018CBEEA661D,SHA256=B76706A0786324BE86EEFF2F48FDC922BA3175B818353D849F3A66AED18BDBC0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:47.969{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FE0B-63D0-CC03-00000000BA02}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:47.969{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:47.969{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:47.969{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:47.969{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:47.969{45AAC21C-ED08-63D0-0500-00000000BA02}420788C:\Windows\system32\csrss.exe{45AAC21C-FE0B-63D0-CC03-00000000BA02}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000079725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:47.969{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FE0B-63D0-CC03-00000000BA02}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000079724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:47.970{45AAC21C-FE0B-63D0-CC03-00000000BA02}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000079723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:47.616{45AAC21C-FE0B-63D0-CB03-00000000BA02}51244856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:47.502{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE0B-63D0-CB03-00000000BA02}5124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000079721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:47.500{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE0B-63D0-CB03-00000000BA02}5124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000079720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:47.500{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE0B-63D0-CB03-00000000BA02}5124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000079719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:47.500{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE0B-63D0-CB03-00000000BA02}5124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000079718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:47.497{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE0B-63D0-CB03-00000000BA02}5124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000079717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:47.497{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE0B-63D0-CB03-00000000BA02}5124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000079716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:47.292{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FE0B-63D0-CB03-00000000BA02}5124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:47.292{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:47.292{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:47.292{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:47.292{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:47.292{45AAC21C-ED08-63D0-0500-00000000BA02}420536C:\Windows\system32\csrss.exe{45AAC21C-FE0B-63D0-CB03-00000000BA02}5124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000079710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:47.292{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FE0B-63D0-CB03-00000000BA02}5124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000079709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:47.293{45AAC21C-FE0B-63D0-CB03-00000000BA02}5124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000079708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:47.007{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4423CABF73D72257B07D439399B507D,SHA256=564E1B3ED95BC791849259D30CF4B292BDBF3F231382B91840E0B295127BE023,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:48.734{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FA0D35564D93BA6F88BBD3BC0ADF498,SHA256=1740AAB0CAD96FBBB16FA4F0F763198E3945220F8104BCB5F3A3386DAD4276B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:48.254{45AAC21C-FE0B-63D0-CC03-00000000BA02}42044216C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:48.069{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FE0B-63D0-CC03-00000000BA02}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:48.069{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FE0B-63D0-CC03-00000000BA02}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:48.069{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FE0B-63D0-CC03-00000000BA02}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:48.069{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FE0B-63D0-CC03-00000000BA02}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000079732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:48.054{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55DD641C8C6F10C8D630DB5DB9E886AB,SHA256=A6FFC358465FEE7503910910FF755E0D9B3C8C6B264569D950C080F0F6BA329C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:49.835{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72CCF54FE29CA7F1CF537BD23AB99DF6,SHA256=EABC41BDDFB38EA3CB4709597F6F4872C95B05B8C2AEC9EFAABEDFBF415E8A44,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:49.903{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FE0D-63D0-CD03-00000000BA02}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:49.903{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:49.903{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:49.903{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:49.903{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:49.903{45AAC21C-ED08-63D0-0500-00000000BA02}420788C:\Windows\system32\csrss.exe{45AAC21C-FE0D-63D0-CD03-00000000BA02}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000079742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:49.903{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FE0D-63D0-CD03-00000000BA02}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000079741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:49.904{45AAC21C-FE0D-63D0-CD03-00000000BA02}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000079740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:47.834{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49488-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000079739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:49.101{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ECFDE7F12EB0A6C4B26F1061F720E05,SHA256=E6244EF262BC09FB09E4BC431EFC3629BE7E02AD54429F058CBAD6128BF0CB90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:49.101{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADEC7BC1B8A247FF5E86759F1E6B40CB,SHA256=1550ACA639BA1FE2E364E413B4969BB1766E17E8DC3950DD41E9BDE0452F06C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:46.236{72106695-ED08-63D0-1100-00000000BB02}972C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:816:2e82:f5ff:fef0win-host-ctus-attack-range-212546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 23542300x800000000000000036517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:50.919{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB511698182146FE37AAE0F335368EAF,SHA256=F2A37AF23CD206C28F475CFDFFE8FF3DF7760F9155BBA097CB685B5CB5AC74B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:50.156{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B506973FDF1267C899C12F63700C3BF,SHA256=809787ACF62FD6A68B42C8261DFD9A96F8B154624477E8D954BBC7C34C9D29E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:50.072{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FE0D-63D0-CD03-00000000BA02}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:50.072{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FE0D-63D0-CD03-00000000BA02}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:50.072{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FE0D-63D0-CD03-00000000BA02}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:50.072{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FE0D-63D0-CD03-00000000BA02}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000079754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:51.205{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=499424CEDC5AD6F1EDF406B6FDF8FB2B,SHA256=F8A241206418520C04674292A6773E5FA1B7F977D263A8405B49BB2D12E57F92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:52.259{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=767EBF49153019EE6FB245D3BF603C73,SHA256=5C758A1F2ADA2AD40FC8EB77DFFC945794FAC888B055FFF8F091018C121522EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:50.048{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50566-false10.0.1.12-8000- 23542300x800000000000000036518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:52.003{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB26E0CCA44111984827A49ED0F1C74C,SHA256=3E93F08014B76AA43583CD1D284A4A757B9DDA3703B328C336AFD068559D81D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:53.396{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:53.396{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000079756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:53.312{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E73817B7F1192F926CCA2126A4FBF76,SHA256=BEA8A403F3461184BA72ACD25D830D7AC10AA398A6C0B6822F4FA25966D4F27D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:53.087{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCFA146872457344857A7DE32A680999,SHA256=80D339C91883B89F48413CBD480FA12444A0D8EB16F352C988442B7477A42753,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:54.365{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A36CEE3F17B0145623A190BBA2BC11A8,SHA256=89F0066F1F1A5938F842CF7FC90C079879C9CC6B44E48671A8FE9E4CD3D5D4AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:54.160{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=806DB6AE49740C732F1587255A114918,SHA256=0A44244641B43136C882834950BF5F6C2707A72CED34A41028F3BBA7F13771E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000079761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:53.647{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49489-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000079760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:55.419{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=822F27497784747D766A463EEB055523,SHA256=ADF6D51AC139DF61F223A14133D5F9D6194DED048DAB3B5040D2F1522A5010E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:55.253{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C82527A352168700C2B5B9B3FD1BC2E5,SHA256=ECA9A46A67961E8BFC828AA74B5FFD249A49A4A0532F673B2112945743ABB3B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:56.491{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAE8FD2A45788B22336A567FC6049B3A,SHA256=0B95FC2142131E3768CC79CE5306BB835B4DA8C3BE88955B9E500F9FC5F28286,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:56.337{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C803DF28D89BC4D54433EF53BFA8A8C2,SHA256=CAF246460663509FAFFF99BE7F27658788AB1D92154F2F756351CB51109FD96C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:57.803{72106695-ED09-63D0-2000-00000000BB02}2008NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=112148419233172D4E83658AF0F4A869,SHA256=7BBB6D75ADD14D0A828627954F79AB66DE41A66108FAAD048459507D4376866D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:57.425{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BECC4CBDD7B72341FFCE904D4BFAE452,SHA256=B26F2960EF563F606822FBC9757FE80BAF1C8B9731CAD178711DD09652DECBF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:57.558{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57D59569FC4C97CB02D0E0B062D1E885,SHA256=2A8D2DFA309FC558677F21973303EAD7F1FB007894D559A895092A0A05040681,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:55.978{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50567-false10.0.1.12-8000- 23542300x800000000000000036526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:58.518{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C33CC79A09B479CA61D4B620639EF7D,SHA256=19B625D5B764096CD84824F7A576AD94A5E8872A93573AAC5B8F9E90FB126125,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:58.581{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF89D218702D5192713224E035F7A196,SHA256=6B70F329338047650AC74D05CF6337995B80443F7F4CDF6F2393DE3B4082C6D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:01:59.617{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24BB855C245D1FB22C9AE44A899D406E,SHA256=84E05CDBF64B0635ADD3200FD0808F2B38DBB3431565D8C223DE1DB899EEC35C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:59.719{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=273B0A8A491AF00B73117D7AD5E3BA76,SHA256=4E972DC74B9931F314FC9AD79381DE93F3E6854649B8ED3ACCF791BDED18C058,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:59.596{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:59.596{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:00.989{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1600-00000000BB02}1192C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:00.962{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1500-00000000BB02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:00.955{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1400-00000000BB02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:00.949{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1300-00000000BB02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:00.941{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1200-00000000BB02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:00.933{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1100-00000000BB02}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:00.927{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1000-00000000BB02}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:00.920{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0F00-00000000BB02}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:00.912{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0E00-00000000BB02}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:00.905{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0D00-00000000BB02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:00.897{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:00.888{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0B00-00000000BB02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:00.886{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0900-00000000BB02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 23542300x800000000000000036529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:00.717{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B99EF598E50F171B27CA2EB7B388C6B,SHA256=0F6B616EA81AAF7A5795E794CEB2F9C2829A90B714775A2734F1C8DA386F9825,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:00.984{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1500-00000000BA02}1152C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000079782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:00.978{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1400-00000000BA02}344C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000079781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:00.971{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1300-00000000BA02}364C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000079780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:00.959{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1200-00000000BA02}408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000079779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:00.947{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1100-00000000BA02}704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000079778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:00.903{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1000-00000000BA02}444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000079777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:00.890{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:00.888{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:00.880{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0F00-00000000BA02}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000079774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:00.873{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0E00-00000000BA02}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000079773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:00.863{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0D00-00000000BA02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000079772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:00.855{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0C00-00000000BA02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000079771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:00.805{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000079770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:00.802{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0900-00000000BA02}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 23542300x800000000000000079769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:00.734{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB959CAE350A0991A4B17CD785959F0B,SHA256=5D7DA8C9D2130247FE5D70E9D516156ACFB02736AC1A4F66CA764C3FD2038955,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000079768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:01:58.729{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49490-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000079794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:01.778{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=940B948816C447BF7AC91BB8DA511B5F,SHA256=72DA18E9B5ECFBFEC28A3F84D468ADAC014E23A1658268B0D0553BFDFBE4E01E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:01.965{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B35A4C7179C0AF94F9043F53773E3C42,SHA256=3448990E13266F91702DAB385C29FF866EC1902329E5947421D6386CDB64B869,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:01.086{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FB5F-63D0-3102-00000000BB02}3068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:01.081{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED83-63D0-8200-00000000BB02}508C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:01.079{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED1B-63D0-6D00-00000000BB02}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:01.076{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:01.074{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-4000-00000000BB02}1980C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:01.071{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-3C00-00000000BB02}2964C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:01.070{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2B00-00000000BB02}2876C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:01.067{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2600-00000000BB02}2596C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:01.065{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2500-00000000BB02}2436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:01.055{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2200-00000000BB02}1172C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:01.047{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:01.030{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:01.026{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1C00-00000000BB02}1892C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:01.019{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1A00-00000000BB02}1856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:01.009{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1800-00000000BB02}1732C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:01.001{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1700-00000000BB02}1240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000079793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:01.092{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000079792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:01.065{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000079791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:01.043{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000079790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:01.033{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2700-00000000BA02}2576C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000079789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:01.031{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2600-00000000BA02}2568C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000079788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:01.024{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2500-00000000BA02}2484C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000079787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:01.018{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED14-63D0-2300-00000000BA02}2340C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000079786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:01.016{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1800-00000000BA02}1992C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000079785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:01.014{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1700-00000000BA02}1492C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000079784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:01.005{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1600-00000000BA02}1324C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 23542300x800000000000000079800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:02.921{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5765B6B62CD0347BCB2DF4F0A254BFF5,SHA256=6F0E2E28893765B7FAE10E2D8E59FBF1A2FA5B2C86B2B5CDBF52FE8E901DA84A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:02.887{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:02.887{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:02.009{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2E00-00000000BA02}2692C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000079796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:02.006{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000079795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:02.002{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2B00-00000000BA02}2664C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 23542300x800000000000000079801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:03.989{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E26F77EB9A474A5963E17978F890C93,SHA256=6F8F3A60C834A83A0C0E5EFF805713242B7E8DEBE07937BE949B1CDE9607DEBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:03.550{72106695-ED09-63D0-1C00-00000000BB02}1892NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\respondent-20230125084915-070MD5=4A845FE96E1CB901D2D7264E475C5D0A,SHA256=805658FE4E43678F2368D193C16F752D5AE58460E17C63B3F32526AFB5DF27A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:03.017{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B1E9FD0E67A5CBB3FF771B7F38C0B82,SHA256=CA16D1F407FF25DF58A2AE737BC2FD6FBCD83C3D8BFEDEE483A1050D4866DF63,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:01.065{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50568-false10.0.1.12-8000- 23542300x800000000000000036563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:04.556{72106695-ED09-63D0-1C00-00000000BB02}1892NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\surveyor-20230125084913-071MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:04.124{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9C2DA18F8C2FB8328FAD5712FBE0142,SHA256=4A6C920243B6A05235350BEBB3D03F426A438BFE949D6A117F59E5C432BA142D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:04.787{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000079834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:04.781{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99E-63D0-4403-00000000BA02}4716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000079833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:04.774{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4303-00000000BA02}220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000079832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:04.766{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4203-00000000BA02}8108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000079831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:04.755{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99C-63D0-4103-00000000BA02}4940C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000079830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:04.750{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F998-63D0-3F03-00000000BA02}6856C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000079829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:04.744{45AAC21C-ED5C-63D0-A400-00000000BA02}53206496C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F993-63D0-3A03-00000000BA02}5848C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019FECA90) 10341000x800000000000000079828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:04.743{45AAC21C-ED5C-63D0-A400-00000000BA02}53206496C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F990-63D0-3703-00000000BA02}5072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019FECA90) 10341000x800000000000000079827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:04.742{45AAC21C-ED5C-63D0-A400-00000000BA02}53206496C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F990-63D0-3603-00000000BA02}7836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019FECA90) 10341000x800000000000000079826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:04.740{45AAC21C-ED5C-63D0-A400-00000000BA02}53206496C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3403-00000000BA02}8152C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019FECA90) 10341000x800000000000000079825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:04.734{45AAC21C-ED5C-63D0-A400-00000000BA02}53206496C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3303-00000000BA02}5868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019FECA90) 10341000x800000000000000079824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:04.729{45AAC21C-ED5C-63D0-A400-00000000BA02}53206496C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3203-00000000BA02}1380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019FECA90) 10341000x800000000000000079823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:04.727{45AAC21C-ED5C-63D0-A400-00000000BA02}53206496C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3103-00000000BA02}7700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019FECA90) 10341000x800000000000000079822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:04.715{45AAC21C-ED5C-63D0-A400-00000000BA02}53206496C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019FECA90) 10341000x800000000000000079821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:04.702{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000079820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:04.700{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A202-00000000BA02}5720C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000079819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:04.693{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A102-00000000BA02}7492C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000079818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:04.690{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F3FF-63D0-5202-00000000BA02}7716C:\Program Files\Process Hacker 2\ProcessHacker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000079817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:04.687{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED93-63D0-C200-00000000BA02}5684C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000079816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:04.660{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000079815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:04.643{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000079814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:04.600{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000079813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:04.586{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-8E00-00000000BA02}432C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000079812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:04.570{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4D-63D0-8900-00000000BA02}4888C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000079811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:04.562{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED36-63D0-8100-00000000BA02}4176C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000079810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:04.558{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED35-63D0-7F00-00000000BA02}3432C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000079809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:04.549{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED2C-63D0-7B00-00000000BA02}532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000079808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:04.546{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000079807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:04.545{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1B-63D0-4500-00000000BA02}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000079806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:04.542{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-4100-00000000BA02}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000079805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:04.541{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-3800-00000000BA02}3276C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000079804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:04.028{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3300-00000000BA02}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000079803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:04.027{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3100-00000000BA02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000079802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:04.024{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2F00-00000000BA02}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 23542300x800000000000000036565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:05.219{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1DCB8A211D896C6EA1AF5FAA12F7ADB,SHA256=6F52DFE8313F9BC081113526BA474F40B0BBDCDCE93F609C774467A09E2C60CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:05.091{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=882CD70377651EA3C5DF6B642DC7F651,SHA256=F2CAA8F5A73A0AB591949D46EDFEAC6B0532462729A360A9DBE425637EC00063,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:06.291{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E39F5BFB818C6A49C3CB77DE287B97E0,SHA256=D1F51EA1427E2A0AC1786780681962D26A534CE1AC62EFE80767DF46CB811C5C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000079838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:04.743{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49491-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000079837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:06.111{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CCCE393CDD1B26A5198554CF5983729,SHA256=0CA27F489BFDF7D14D77064EC4D21C3C78757A22447BC641A782B89EFFBEA3EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:07.382{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0E5041FC2804AE18DD1B3162E60B9EB,SHA256=36260F9A0B3143098DDB18BB8575CD85063FA09DF5B9F5A3FFD5D35C828346B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:07.979{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ilosieif.default-release\datareporting\glean\db\data.safe.binMD5=4471BDF8D0A76FC3B2FD954D0817EF4D,SHA256=057B23265772895185CE8BDF06FE83E2A3B6349188868E8531AB076CB2B9D3ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:07.160{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=256A807FB959A7C8CD1076916164E11C,SHA256=6DB8343EDC6A1F59E0B139937DF6A438DBA6213CD895CA349BAA88AA26AEC9A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:08.478{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B2C934DF6EC8DD338D0DCC2974256D8,SHA256=00C39E60DA3C0153169BE2AD147DBD2DEA79FEDD91F499AB161D0B4950715908,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:08.214{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AAB32F278E2839B164C343F0844268C,SHA256=5FFC0012B14EF8283C3B7408E4C282BF773C9D9B85024611EA8C5803E75861DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:06.946{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50569-false10.0.1.12-8000- 23542300x800000000000000036569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:09.585{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=250A0C9FE662B04C111D0DBBF5D9E948,SHA256=39E8C905F79A5785244515289EBDA9ACE25928BBE782704602F75AB023C90B0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:09.263{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BDD7F39CFBB73C01B6C35E02049BCEA,SHA256=4704E6DB0953D956302D9531CD12EF4CA1F3EFDA499AB0B9E30C1DF76FD9F055,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:10.670{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E7CD9DAABB265F2F5DCFEA82930440D,SHA256=4D1011C277C37543EDEE5BD4E3274BD840A63C74EBDA445780ADEC68B23A42EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:10.333{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4EFFE467F62D278EF3B222399A5B8CE,SHA256=7E677179695DD7B0CADFF9D846ADA918929169831CAB50F2DB0009486946599D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:11.760{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=752956301A05151753597ED85F7BFBD7,SHA256=B04B96884A3733FCDD035EF806432C1AD89AD8194ADD59661DB8A114E538A9C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000079845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:09.850{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49492-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000079844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:11.419{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C66FD8B5BFA802A29A511352E647AFE9,SHA256=6637117835F266A6DAB7FB1960CBFFA89036787BB76F8CFFB04D0B99428172A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:12.852{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2675D03A64E61683532166BC937B0115,SHA256=6B7A20EA767EB02E693B74F7DD493C8E692E0D324E3554390F0525FCBDEB07B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:12.853{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:12.853{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000079848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:12.452{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68A6D9481DBE5FC950B38D39BCCB0A1A,SHA256=17958B010EE024F7586C2CA16DD69245D3E2BB397FC9C2F505C47BBE857A816D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:12.205{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:12.205{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000036574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:13.959{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2DF38A6EF62AD723657B1F321AEAD15,SHA256=7FC0717F6A7C2B982FB04EF0775D7163660D13B0EC8712D6D398D8BE317FB754,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:13.504{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0662CFBC6ED4CF795868372D9565C692,SHA256=DF278AD321F5E41E66E12AA416FA5B19AAD653AE87BF7A6F397FF8AAEAB8A4D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:14.972{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:14.972{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000079855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:14.525{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=586FE6F3B9C46C6D435BA24CE0D38EC9,SHA256=2CE7E3F67107E77FF719647AB6FC339109E7AE067508C3C4C373D74D586FD657,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:14.664{72106695-ED08-63D0-1100-00000000BB02}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=69643053BBCDD61A802D5334BE57E7E0,SHA256=9C74B24A7C0591B99536C2FF75BA1E64D58A9113BF56FE61A9BE9385D2782E48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:14.171{45AAC21C-ED18-63D0-2C00-00000000BA02}2672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=04CF0978622F6A552851207E902BBC4E,SHA256=7771CE51CA208C49972C5A59061E0E2EBE200E7296D148DF93D2AD318A10EEDA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:14.108{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:14.108{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000079859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:15.943{45AAC21C-ED0A-63D0-1100-00000000BA02}704NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=C43EA32C5EF1BE8747E7C115E3998297,SHA256=4C61C94F4CA182F1FB43B627B9FE5904BD50BA7B147AE8F5598CF089BB2129F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:15.573{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=493CB825BBA9CC26F2C8F0C11402EC06,SHA256=A6CA04BCDD206984024CC29BA0E1DD0A950CC8B97B127DFAAD4C9F1E665CBCB9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:12.081{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50570-false10.0.1.12-8000- 23542300x800000000000000036576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:15.039{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAB7604C6CB8C1F905C847303A7A997B,SHA256=F4322E2394E254C00DF6BFB0727D3AE88736988BA9B71CEDCAE02F17AC9C805C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:16.609{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFBD409E45D41345CFC5C6D696EF1AF7,SHA256=32DECFEA0D3AC607959B25283451B6D7E225D57D32CA129BD9B152FD73D4519C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:16.129{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC7EF19C58A0EF0A5D7754C7685A0E02,SHA256=D8A3BF45C349090F7624A871B3147BD2326E509A14995178B49F2A4AB70F09AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:16.327{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:16.327{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000079866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:15.741{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49493-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000079865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:17.645{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E5E56C88F16ABF52C4F2F35C242BF69,SHA256=DB724796A54906505A9FFD994A39D917B62D9C41DAD1B12A92C874A81CC3A92F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:17.629{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:17.629{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000036579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:17.230{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25C7C08A3840DA947A935556D9F1905C,SHA256=00AF89A30DC8EA1A35B5A429FE8633D7EB876740EF4C9C9C2E458391E4764514,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:18.716{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42002D955DFF6DE37ACA04265965B305,SHA256=4162336CBDDAC99E731C8E0964297D64D102EB8F33BD919BF8CFBA8C322CF3D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:18.335{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=707CA7B7C79E435CDF50ABB8DA4D294B,SHA256=E23F0EABC8812BDC50E4BFC3F20BAA2EA1838FF63B22C18BA27F484BCEB5D435,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:18.549{45AAC21C-ED18-63D0-2C00-00000000BA02}2672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:18.300{45AAC21C-ED18-63D0-2F00-00000000BA02}2700NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\respondent-20230125084931-070MD5=FB1204BD5E1FCB9F00F3D30191CDD410,SHA256=AD3DE377B45C073DC7811942D8C17D2EDF88FCE93F4C4FD49345F5808DA79585,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:19.440{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5AEE35E5493844B2BB8740FAC64088F,SHA256=132FF1426DD5B70B16E4A687E132354D533CACB49828FF0F725A77768DCCEAE7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000079872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:18.165{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49494-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000079871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:19.814{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F916CBC7856DB55BEEB4E080C11CE8F,SHA256=BCD284A1B96329DD25A80F67AF6D244D44665B49A13D5A1CDFA1D747650D6D91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:19.315{45AAC21C-ED18-63D0-2F00-00000000BA02}2700NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\surveyor-20230125084929-071MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:20.998{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1A00-00000000BB02}1856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000036598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:20.992{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1800-00000000BB02}1732C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000036597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:20.990{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1700-00000000BB02}1240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000036596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:20.981{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1600-00000000BB02}1192C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000036595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:20.963{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1500-00000000BB02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000036594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:20.957{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1400-00000000BB02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000036593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:20.951{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1300-00000000BB02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000036592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:20.946{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1200-00000000BB02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000036591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:20.934{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1100-00000000BB02}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000036590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:20.929{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1000-00000000BB02}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000036589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:20.924{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0F00-00000000BB02}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000036588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:20.916{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0E00-00000000BB02}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000036587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:20.912{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0D00-00000000BB02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000036586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:20.904{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000036585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:20.898{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0B00-00000000BB02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 10341000x800000000000000036584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:20.896{72106695-ED09-63D0-1F00-00000000BB02}20002792C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0900-00000000BB02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000192D0190) 354300x800000000000000036583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:17.970{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50571-false10.0.1.12-8000- 23542300x800000000000000036582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:20.548{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F31ACBE18AEC046E473ECD3354C83218,SHA256=0DA012834CB0F41D87B179BEF708814B9406E51714D5E9E8C8C3D9ED5714710D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:20.997{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1500-00000000BA02}1152C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:20.989{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1400-00000000BA02}344C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:20.981{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1300-00000000BA02}364C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:20.970{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1200-00000000BA02}408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:20.960{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1100-00000000BA02}704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:20.925{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1000-00000000BA02}444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:20.903{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0F00-00000000BA02}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:20.889{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0E00-00000000BA02}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:20.877{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0D00-00000000BA02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:20.868{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0C00-00000000BA02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 23542300x800000000000000079875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:20.839{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B344532D1C917B6575819F001FE15CFB,SHA256=83B08B8DA2C39E6CD816AD149F7124C14EDC66C484C026E1C4DECC03B6A7D2D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:20.815{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:20.811{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0900-00000000BA02}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 23542300x800000000000000036613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:21.973{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3577BF6F9AF9FBA4358C73AFF183674B,SHA256=126A04DBC98D21FDEFD08117DDC3DBE1BB840483F69340718FF9AEE50349B938,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:21.873{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C6929E895F5BBA3A2DAF28A2103C94F,SHA256=AAEF14437C785EE76A6FAFD94D88E52BAADCC41454BE5A7253D349583D1EA3FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:21.048{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FB5F-63D0-3102-00000000BB02}3068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000036611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:21.040{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED83-63D0-8200-00000000BB02}508C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000036610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:21.038{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED1B-63D0-6D00-00000000BB02}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000036609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:21.035{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000036608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:21.033{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-4000-00000000BB02}1980C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000036607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:21.030{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-3C00-00000000BB02}2964C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000036606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:21.027{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2B00-00000000BB02}2876C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000036605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:21.026{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2600-00000000BB02}2596C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000036604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:21.018{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2500-00000000BB02}2436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000036603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:21.015{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2200-00000000BB02}1172C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000036602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:21.012{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000036601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:21.004{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000036600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:20.999{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1C00-00000000BB02}1892C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000079898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:21.609{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2E00-00000000BA02}2692C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:21.604{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:21.599{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2B00-00000000BA02}2664C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:21.065{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:21.056{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:21.048{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:21.039{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2700-00000000BA02}2576C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:21.037{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2600-00000000BA02}2568C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:21.029{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2500-00000000BA02}2484C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:21.025{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED14-63D0-2300-00000000BA02}2340C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:21.023{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1800-00000000BA02}1992C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:21.020{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1700-00000000BA02}1492C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:21.012{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1600-00000000BA02}1324C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 354300x800000000000000079901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:20.802{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49495-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000079900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:22.919{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BC2DEB6228ECDE9E04683DE3B283AEC,SHA256=DBF7BAA1DE4BE9CDECD83CF9F88755B0766476118039AE96AE81D5835AA91595,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:23.955{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCAB11D3FC3F1C454D5734BB9E5BE092,SHA256=E35C2F9DD13290D20E655E97B6E47618E5ACE3DCE505B3DC1D4C46871E14585D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:23.219{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1F00-00000000BB02}2000C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000036614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:23.057{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2423C4167A7A4149A75DD621E1AC729,SHA256=FDB6592150EB4C2E5FA2F247B3158183ECED97CDF1B3ABFFFEB63533C9E3DF73,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:23.624{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3300-00000000BA02}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:23.623{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3100-00000000BA02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:23.620{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2F00-00000000BA02}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 534500x800000000000000079903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:23.523{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin 10341000x800000000000000079902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:23.523{45AAC21C-F6CE-63D0-DF02-00000000BA02}3681172C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FDD7-63D0-C603-00000000BA02}2920C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a249(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+23432(wow64)|UNKNOWN(0000000009C1762B)|UNKNOWN(0000000009C17567)|UNKNOWN(0000000009C174BF)|UNKNOWN(0000000009C1749B)|UNKNOWN(00000000039B1AA7)|UNKNOWN(0000000009C1DC2E)|UNKNOWN(00000000037CB965)|UNKNOWN(00000000037CAFE6)|UNKNOWN(00000000037CAF20)|C:\Users\Administrator\Downloads\dnSpy-net-win32\bin\System.Private.CoreLib.dll+2575d1(wow64)|UNKNOWN(0000000019A9CB1A)|UNKNOWN(00000000035258ED) 23542300x800000000000000036616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:24.150{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=582D3286E0DC4495FDC274D465021842,SHA256=8D9AA808CF46D5DD628808CD8E50F2C7880CA472443AFDB332C2C43657D3E25E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000079980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.780{45AAC21C-ED4E-63D0-9300-00000000BA02}13366208C:\Windows\Explorer.EXE{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.769{45AAC21C-F98D-63D0-3003-00000000BA02}78126328C:\Program Files\Mozilla Firefox\firefox.exe{45AAC21C-F98E-63D0-3103-00000000BA02}7700C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+b7bc2c|C:\Program Files\Mozilla Firefox\xul.dll+f881b0|C:\Program Files\Mozilla Firefox\xul.dll+f86c65|C:\Program Files\Mozilla Firefox\xul.dll+f821a4|C:\Windows\System32\user32.dll+121e4|C:\Windows\System32\user32.dll+11ed7|C:\Windows\System32\user32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF801D850B2A8)|UNKNOWN(FFFFC72308993998)|UNKNOWN(FFFFC72308993BA2)|UNKNOWN(FFFFC7230899649B)|UNKNOWN(FFFFC7230890E09B)|UNKNOWN(FFFFC7230890DFD2)|UNKNOWN(FFFFC7230890CDE7)|UNKNOWN(FFFFC7230899740A)|UNKNOWN(FFFFC72308998173)|UNKNOWN(FFFFC7230898FD49)|UNKNOWN(FFFFC7230898DE26)|UNKNOWN(FFFFF801D817FC03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\user32.dll+1ea2e 10341000x800000000000000079978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.769{45AAC21C-ED4E-63D0-9300-00000000BA02}13363108C:\Windows\Explorer.EXE{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.769{45AAC21C-ED4E-63D0-9300-00000000BA02}13363108C:\Windows\Explorer.EXE{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.602{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.602{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.602{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.601{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.601{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.601{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.601{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.601{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.601{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.601{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.601{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.601{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.601{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.601{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.601{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.600{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.600{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.600{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.600{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.600{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.600{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.600{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.600{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.600{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.600{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.600{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.600{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.600{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.600{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.600{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.600{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.600{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.600{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.600{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.599{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000079941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.348{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99E-63D0-4403-00000000BA02}4716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.348{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4303-00000000BA02}220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.347{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4203-00000000BA02}8108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.346{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99C-63D0-4103-00000000BA02}4940C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.345{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F998-63D0-3F03-00000000BA02}6856C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.344{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F993-63D0-3A03-00000000BA02}5848C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.340{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F990-63D0-3703-00000000BA02}5072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.337{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F990-63D0-3603-00000000BA02}7836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.335{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3403-00000000BA02}8152C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.334{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3303-00000000BA02}5868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.334{45AAC21C-F98D-63D0-3003-00000000BA02}78126328C:\Program Files\Mozilla Firefox\firefox.exe{45AAC21C-F99C-63D0-4103-00000000BA02}4940C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+269b6|C:\Program Files\Mozilla Firefox\xul.dll+e8dca7|C:\Program Files\Mozilla Firefox\xul.dll+e8e599|C:\Program Files\Mozilla Firefox\xul.dll+e8e87b|C:\Program Files\Mozilla Firefox\xul.dll+12343fb|C:\Program Files\Mozilla Firefox\xul.dll+1234522|C:\Program Files\Mozilla Firefox\xul.dll+e8afa7|C:\Program Files\Mozilla Firefox\xul.dll+1250842|C:\Program Files\Mozilla Firefox\xul.dll+c450c|C:\Program Files\Mozilla Firefox\xul.dll+c49e88|C:\Program Files\Mozilla Firefox\xul.dll+c49bcb|C:\Program Files\Mozilla Firefox\xul.dll+18d4984|C:\Program Files\Mozilla Firefox\xul.dll+18925a5|C:\Program Files\Mozilla Firefox\xul.dll+1d0538f|C:\Program Files\Mozilla Firefox\xul.dll+1e7adf6|C:\Program Files\Mozilla Firefox\xul.dll+1892989|C:\Program Files\Mozilla Firefox\xul.dll+1d0538f|C:\Program Files\Mozilla Firefox\xul.dll+1e7adf6|C:\Program Files\Mozilla Firefox\xul.dll+188f6af|C:\Program Files\Mozilla Firefox\xul.dll+197c288|C:\Program Files\Mozilla Firefox\xul.dll+1b83b62|C:\Program Files\Mozilla Firefox\xul.dll+1b7b784 10341000x800000000000000079930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.332{45AAC21C-F98D-63D0-3003-00000000BA02}78126328C:\Program Files\Mozilla Firefox\firefox.exe{45AAC21C-F998-63D0-3F03-00000000BA02}6856C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+269b6|C:\Program Files\Mozilla Firefox\xul.dll+e8dca7|C:\Program Files\Mozilla Firefox\xul.dll+e8e599|C:\Program Files\Mozilla Firefox\xul.dll+e8e87b|C:\Program Files\Mozilla Firefox\xul.dll+12343fb|C:\Program Files\Mozilla Firefox\xul.dll+1234522|C:\Program Files\Mozilla Firefox\xul.dll+1234522|C:\Program Files\Mozilla Firefox\xul.dll+e8afa7|C:\Program Files\Mozilla Firefox\xul.dll+1250842|C:\Program Files\Mozilla Firefox\xul.dll+c450c|C:\Program Files\Mozilla Firefox\xul.dll+c49e88|C:\Program Files\Mozilla Firefox\xul.dll+c49bcb|C:\Program Files\Mozilla Firefox\xul.dll+18d4984|C:\Program Files\Mozilla Firefox\xul.dll+18925a5|C:\Program Files\Mozilla Firefox\xul.dll+1d0538f|C:\Program Files\Mozilla Firefox\xul.dll+1e7adf6|C:\Program Files\Mozilla Firefox\xul.dll+1892989|C:\Program Files\Mozilla Firefox\xul.dll+1d0538f|C:\Program Files\Mozilla Firefox\xul.dll+1e7adf6|C:\Program Files\Mozilla Firefox\xul.dll+188f6af|C:\Program Files\Mozilla Firefox\xul.dll+197c288|C:\Program Files\Mozilla Firefox\xul.dll+1b83b62 10341000x800000000000000079929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.332{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3203-00000000BA02}1380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.332{45AAC21C-F98D-63D0-3003-00000000BA02}78126328C:\Program Files\Mozilla Firefox\firefox.exe{45AAC21C-F990-63D0-3703-00000000BA02}5072C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+269b6|C:\Program Files\Mozilla Firefox\xul.dll+e8dca7|C:\Program Files\Mozilla Firefox\xul.dll+e8e599|C:\Program Files\Mozilla Firefox\xul.dll+e8e87b|C:\Program Files\Mozilla Firefox\xul.dll+12343fb|C:\Program Files\Mozilla Firefox\xul.dll+1234522|C:\Program Files\Mozilla Firefox\xul.dll+e8afa7|C:\Program Files\Mozilla Firefox\xul.dll+1250842|C:\Program Files\Mozilla Firefox\xul.dll+c450c|C:\Program Files\Mozilla Firefox\xul.dll+c49e88|C:\Program Files\Mozilla Firefox\xul.dll+c49bcb|C:\Program Files\Mozilla Firefox\xul.dll+18d4984|C:\Program Files\Mozilla Firefox\xul.dll+18925a5|C:\Program Files\Mozilla Firefox\xul.dll+1d0538f|C:\Program Files\Mozilla Firefox\xul.dll+1e7adf6|C:\Program Files\Mozilla Firefox\xul.dll+1892989|C:\Program Files\Mozilla Firefox\xul.dll+1d0538f|C:\Program Files\Mozilla Firefox\xul.dll+1e7adf6|C:\Program Files\Mozilla Firefox\xul.dll+188f6af|C:\Program Files\Mozilla Firefox\xul.dll+197c288|C:\Program Files\Mozilla Firefox\xul.dll+1b83b62|C:\Program Files\Mozilla Firefox\xul.dll+1b7b784 10341000x800000000000000079927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.332{45AAC21C-F98D-63D0-3003-00000000BA02}78126328C:\Program Files\Mozilla Firefox\firefox.exe{45AAC21C-F990-63D0-3603-00000000BA02}7836C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+269b6|C:\Program Files\Mozilla Firefox\xul.dll+e8dca7|C:\Program Files\Mozilla Firefox\xul.dll+e8e599|C:\Program Files\Mozilla Firefox\xul.dll+e8e87b|C:\Program Files\Mozilla Firefox\xul.dll+12343fb|C:\Program Files\Mozilla Firefox\xul.dll+e8afa7|C:\Program Files\Mozilla Firefox\xul.dll+1250842|C:\Program Files\Mozilla Firefox\xul.dll+c450c|C:\Program Files\Mozilla Firefox\xul.dll+c49e88|C:\Program Files\Mozilla Firefox\xul.dll+c49bcb|C:\Program Files\Mozilla Firefox\xul.dll+18d4984|C:\Program Files\Mozilla Firefox\xul.dll+18925a5|C:\Program Files\Mozilla Firefox\xul.dll+1d0538f|C:\Program Files\Mozilla Firefox\xul.dll+1e7adf6|C:\Program Files\Mozilla Firefox\xul.dll+1892989|C:\Program Files\Mozilla Firefox\xul.dll+1d0538f|C:\Program Files\Mozilla Firefox\xul.dll+1e7adf6|C:\Program Files\Mozilla Firefox\xul.dll+188f6af|C:\Program Files\Mozilla Firefox\xul.dll+197c288|C:\Program Files\Mozilla Firefox\xul.dll+1b83b62|C:\Program Files\Mozilla Firefox\xul.dll+1b7b784|C:\Program Files\Mozilla Firefox\xul.dll+18661eb 10341000x800000000000000079926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.320{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3103-00000000BA02}7700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.288{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.272{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.270{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A202-00000000BA02}5720C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.268{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A102-00000000BA02}7492C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.263{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F3FF-63D0-5202-00000000BA02}7716C:\Program Files\Process Hacker 2\ProcessHacker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.261{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED93-63D0-C200-00000000BA02}5684C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.234{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.221{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.192{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.176{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-8E00-00000000BA02}432C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.161{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4D-63D0-8900-00000000BA02}4888C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.155{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED36-63D0-8100-00000000BA02}4176C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.153{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED35-63D0-7F00-00000000BA02}3432C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.148{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED2C-63D0-7B00-00000000BA02}532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.146{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.145{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1B-63D0-4500-00000000BA02}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.142{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-4100-00000000BA02}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000079908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.141{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-3800-00000000BA02}3276C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 354300x800000000000000079986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.018{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49496-false172.217.1.98yyz08s09-in-f98.1e100.net443https 354300x800000000000000079985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:23.994{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local56825- 354300x800000000000000079984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:23.994{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local62240- 354300x800000000000000079983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:23.989{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local54787- 23542300x800000000000000079982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:25.193{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9DD76F6CAA71CEE2618921B797CE711,SHA256=3CBE8BDAAC011C8704D43F0FBB1F37D6C03650BB875EA4BA9E45802CF386E80D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:25.181{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A99670BD5580FB3A104EACDD5BADA4C9,SHA256=5B05AF21BA9931F30FAE1EA9B29C5A28F6EFC7AF776B07C7B57948B10ED1D8A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:25.238{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE27EA2B41642144642EBB05C5E1981D,SHA256=9F5DADB66E902669B61F7C3479286CE0ADC680F23242C481F4C258241535EDCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:26.238{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A8BE0BBAB2500A3B04D2A5B443BD106,SHA256=D94219A263EA790716CE9B13FDEF2DD097F5B4E66002C8A47CF49642D96BEE35,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:26.363{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FE32-63D0-8602-00000000BB02}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:26.363{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:26.363{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:26.363{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:26.363{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:26.363{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:26.363{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:26.363{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:26.363{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:26.363{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:26.363{72106695-ED07-63D0-0500-00000000BB02}408524C:\Windows\system32\csrss.exe{72106695-FE32-63D0-8602-00000000BB02}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:26.363{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FE32-63D0-8602-00000000BB02}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:26.364{72106695-FE32-63D0-8602-00000000BB02}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:26.344{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79CCE9D2029C8E358F9333E835F729D8,SHA256=FFA4CF099EC8DB86F340A04E02F971CB0546A05538C94511CE3EE76BCA3EA524,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:26.312{72106695-ED09-63D0-2000-00000000BB02}2008NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000079990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:25.844{45AAC21C-F98D-63D0-3003-00000000BA02}7812dt-external-521234871.us-west-2.elb.amazonaws.com052.10.37.64;54.148.86.105;52.33.19.41;52.37.43.184;54.203.28.50;50.112.52.8;34.213.104.191;52.33.247.24;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000079989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:27.319{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2589414D770F4CCE3FDF7F460597CF5F,SHA256=09EE85752DA918C80689DCEB1F6B9E7582715C689FA4C4142A76EA46D9A664C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:27.941{72106695-ED09-63D0-2000-00000000BB02}2008NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=DD9DAAA5A1A47367D6D3C4297376F63C,SHA256=3310036A748987F620DA1B3C541B51EF8858F62916CF380A6BA16B13289CCA42,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:27.878{72106695-FE33-63D0-8802-00000000BB02}35203544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:27.706{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FE33-63D0-8802-00000000BB02}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:27.706{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:27.706{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:27.706{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:27.706{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:27.706{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:27.706{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:27.706{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:27.706{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:27.706{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:27.706{72106695-ED07-63D0-0500-00000000BB02}408524C:\Windows\system32\csrss.exe{72106695-FE33-63D0-8802-00000000BB02}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:27.706{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FE33-63D0-8802-00000000BB02}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:27.707{72106695-FE33-63D0-8802-00000000BB02}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:27.469{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A7142C4BFAF1E5D83CD9276D20F9A61,SHA256=2CB0154184063C4FF31C168603514EA5EB9E75311842051EAEE2945BBC6CFC26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:27.439{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17BED86DC035D3393D3A60798EDD663E,SHA256=C4F24F8159E494DEDB5BC7524D85069B773B22984816C4518F87143F785B855E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:27.438{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=5633828840133C1A9BE2BAA5079D2CA2,SHA256=F8E50BEC3F2D75BD397C1ADA080779E6414A18798B3CF69ACAD5E316131985B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000079988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:24.117{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local56826-false172.217.1.98yyz08s09-in-f98.1e100.net443https 354300x800000000000000036646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:23.077{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50572-false10.0.1.12-8000- 10341000x800000000000000036645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:27.023{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FE33-63D0-8702-00000000BB02}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:27.023{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:27.023{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:27.023{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:27.023{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:27.023{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:27.023{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:27.023{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:27.023{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:27.023{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:27.023{72106695-ED07-63D0-0500-00000000BB02}4081028C:\Windows\system32\csrss.exe{72106695-FE33-63D0-8702-00000000BB02}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:27.023{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FE33-63D0-8702-00000000BB02}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:27.024{72106695-FE33-63D0-8702-00000000BB02}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000036680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:28.768{72106695-FE34-63D0-8902-00000000BB02}1460964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:28.611{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FE34-63D0-8902-00000000BB02}1460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:28.611{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:28.611{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:28.611{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:28.611{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:28.611{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:28.611{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:28.611{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:28.611{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:28.611{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:28.611{72106695-ED07-63D0-0500-00000000BB02}4081028C:\Windows\system32\csrss.exe{72106695-FE34-63D0-8902-00000000BB02}1460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:28.611{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FE34-63D0-8902-00000000BB02}1460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:28.613{72106695-FE34-63D0-8902-00000000BB02}1460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000036666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:25.188{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50573-false10.0.1.12-8089- 23542300x800000000000000036665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:28.533{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2B9BF057D757054DF75C84A612B1321,SHA256=6280698B06FE82A8D14909DA6190691E6ADB40A2518313D6F3F0C3CD11D5299D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000079997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:28.385{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A34FB6C78D622E2035CA903917986DEA,SHA256=D12B4FDB79032B01F70875A16D801D66DA8F14698D3C2C763B515511FE925762,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000079996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:25.845{45AAC21C-F98D-63D0-3003-00000000BA02}7812dt-external-521234871.us-west-2.elb.amazonaws.com02600:1f13:800:7782:25fb:6d1b:eb59:f094;2600:1f13:800:7782:bf7f:87a8:e99d:b4dd;2600:1f13:800:7780:b3bf:ab54:3736:ef1d;2600:1f13:800:7780:37cc:3fa2:a72b:edcf;2600:1f13:800:7781:42a4:ee06:e1a9:8972;2600:1f13:800:7781:e8a8:50e8:e13d:baf4;2600:1f13:800:7780:a94e:e0af:1e4c:a856;2600:1f13:800:7782:f063:47df:fd1b:6599;C:\Program Files\Mozilla Firefox\firefox.exe 354300x800000000000000079995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:26.694{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49498-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000079994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:25.894{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49497-false52.33.247.24ec2-52-33-247-24.us-west-2.compute.amazonaws.com443https 354300x800000000000000079993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:25.834{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local54415- 354300x800000000000000079992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:25.834{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local56956- 354300x800000000000000079991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:25.831{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local63769- 23542300x800000000000000036681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:29.612{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38EDF3A4D6A4640E9C3A90DBCA87618A,SHA256=211E383D1E69ED1DB8D8F797B9C54281A9D1DAD2B71B0007950425D661B978B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:29.406{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=997363E23FCF737010D019D3F3E723A6,SHA256=ACAB269A4AA04980CBEDB5E7AB352670A68A198083F694366B0720C333044B01,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000080002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:26.790{45AAC21C-F98D-63D0-3003-00000000BA02}7812www.google.com0172.217.4.196;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000080001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:26.789{45AAC21C-F98D-63D0-3003-00000000BA02}7812www.google.com0::ffff:172.217.4.196;C:\Program Files\Mozilla Firefox\firefox.exe 354300x800000000000000080000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:26.784{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local62242-false172.217.4.196ord37s19-in-f4.1e100.net443https 354300x800000000000000079999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:26.781{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local63188- 354300x800000000000000079998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:26.780{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53274- 23542300x800000000000000080103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.962{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1758517B9679FBC706E9F4B2655DF5DD,SHA256=2B39BF46EEA96C91AD78B64B1F00FD295BC743A209E37F5336064893C71DABE3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.932{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE36-63D0-CF03-00000000BA02}6108C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000080101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.932{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE36-63D0-CF03-00000000BA02}6108C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000080100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.932{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE36-63D0-CF03-00000000BA02}6108C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000080099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.931{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE36-63D0-CF03-00000000BA02}6108C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000080098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.931{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE36-63D0-CF03-00000000BA02}6108C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000080097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.931{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE36-63D0-CF03-00000000BA02}6108C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000080096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.746{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE36-63D0-CE03-00000000BA02}3640C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000080095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.746{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE36-63D0-CE03-00000000BA02}3640C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000080094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.746{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE36-63D0-CE03-00000000BA02}3640C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000080093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.608{45AAC21C-ED4E-63D0-9300-00000000BA02}1336888C:\Windows\Explorer.EXE{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+7d960|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF801D850B2A8)|UNKNOWN(FFFFC72308993998)|UNKNOWN(FFFFC72308993B17)|UNKNOWN(FFFFC7230898E1A1)|UNKNOWN(FFFFC7230898FB6A)|UNKNOWN(FFFFC7230898DE26)|UNKNOWN(FFFFF801D817FC03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+811bb|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd 10341000x800000000000000080092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.607{45AAC21C-ED4E-63D0-9300-00000000BA02}1336888C:\Windows\Explorer.EXE{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7d441|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF801D850B2A8)|UNKNOWN(FFFFC72308993998)|UNKNOWN(FFFFC72308993B17)|UNKNOWN(FFFFC7230898E1A1)|UNKNOWN(FFFFC7230898FB6A)|UNKNOWN(FFFFC7230898DE26)|UNKNOWN(FFFFF801D817FC03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+811bb|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000080091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.607{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF432748.TMPMD5=4DF8043D988875F196E7170EB48ADC55,SHA256=C4660FA4B1BB90DD96D9F3B0818855B399BF0E5C3D38653DC439DAD480C79018,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.523{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-FE36-63D0-CF03-00000000BA02}6108C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:30.831{72106695-FE36-63D0-8B02-00000000BB02}31122652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000036709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:30.706{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3317983312CE67FABFACEB5A688482C,SHA256=11427D1A4FC4130389A50D972F58A6C36E20086025E2755091F2468EE95D5FD8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:30.675{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FE36-63D0-8B02-00000000BB02}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:30.675{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:30.675{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:30.675{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:30.675{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:30.675{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:30.675{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:30.675{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:30.675{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:30.675{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:30.675{72106695-ED07-63D0-0500-00000000BB02}4082644C:\Windows\system32\csrss.exe{72106695-FE36-63D0-8B02-00000000BB02}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:30.675{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FE36-63D0-8B02-00000000BB02}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:30.675{72106695-FE36-63D0-8B02-00000000BB02}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000036695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:30.346{72106695-FE36-63D0-8A02-00000000BB02}31441148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:30.174{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FE36-63D0-8A02-00000000BB02}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:30.174{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:30.174{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:30.174{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:30.174{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:30.174{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:30.174{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:30.174{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:30.174{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:30.174{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:30.174{72106695-ED07-63D0-0500-00000000BB02}4082644C:\Windows\system32\csrss.exe{72106695-FE36-63D0-8A02-00000000BB02}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:30.174{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FE36-63D0-8A02-00000000BB02}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:30.175{72106695-FE36-63D0-8A02-00000000BB02}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000080089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.518{45AAC21C-F98D-63D0-3003-00000000BA02}78126224C:\Program Files\Mozilla Firefox\firefox.exe{45AAC21C-FE36-63D0-CF03-00000000BA02}6108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1ab6bf1|C:\Program Files\Mozilla Firefox\xul.dll+1ab4ec7|C:\Program Files\Mozilla Firefox\xul.dll+12705|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+12237|C:\Program Files\Mozilla Firefox\xul.dll+9cdfc1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000080088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-ConnectPipe2023-01-25 10:02:30.518{45AAC21C-F98D-63D0-3003-00000000BA02}7812\chrome.7812.13.63748316C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000080087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.513{45AAC21C-F98D-63D0-3003-00000000BA02}78126920C:\Program Files\Mozilla Firefox\firefox.exe{45AAC21C-FE36-63D0-CF03-00000000BA02}6108C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+10a7bb|C:\Program Files\Mozilla Firefox\xul.dll+130eca0|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000080086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-ConnectPipe2023-01-25 10:02:30.513{45AAC21C-F98D-63D0-3003-00000000BA02}7812\gecko-crash-server-pipe.7812C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000080085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.508{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-FE36-63D0-CE03-00000000BA02}3640C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.491{45AAC21C-F98D-63D0-3003-00000000BA02}78126224C:\Program Files\Mozilla Firefox\firefox.exe{45AAC21C-FE36-63D0-CE03-00000000BA02}3640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1ab6bf1|C:\Program Files\Mozilla Firefox\xul.dll+1ab4ec7|C:\Program Files\Mozilla Firefox\xul.dll+12705|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+12237|C:\Program Files\Mozilla Firefox\xul.dll+9cdfc1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000080083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-ConnectPipe2023-01-25 10:02:30.491{45AAC21C-F98D-63D0-3003-00000000BA02}7812\chrome.7812.12.66916078C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000080082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.484{45AAC21C-F98D-63D0-3003-00000000BA02}78126920C:\Program Files\Mozilla Firefox\firefox.exe{45AAC21C-FE36-63D0-CE03-00000000BA02}3640C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+10a7bb|C:\Program Files\Mozilla Firefox\xul.dll+130eca0|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000080081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-ConnectPipe2023-01-25 10:02:30.484{45AAC21C-F98D-63D0-3003-00000000BA02}7812\gecko-crash-server-pipe.7812C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000080080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.471{45AAC21C-F98D-63D0-3003-00000000BA02}78126224C:\Program Files\Mozilla Firefox\firefox.exe{45AAC21C-FE36-63D0-CF03-00000000BA02}6108C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9e834a|C:\Program Files\Mozilla Firefox\xul.dll+ebac4|C:\Program Files\Mozilla Firefox\xul.dll+2581e76|C:\Program Files\Mozilla Firefox\xul.dll+1ab508d|C:\Program Files\Mozilla Firefox\xul.dll+12705|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+12237|C:\Program Files\Mozilla Firefox\xul.dll+9cdfc1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.471{45AAC21C-F98D-63D0-3003-00000000BA02}78126224C:\Program Files\Mozilla Firefox\firefox.exe{45AAC21C-FE36-63D0-CE03-00000000BA02}3640C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9e834a|C:\Program Files\Mozilla Firefox\xul.dll+ebac4|C:\Program Files\Mozilla Firefox\xul.dll+2581e76|C:\Program Files\Mozilla Firefox\xul.dll+1ab508d|C:\Program Files\Mozilla Firefox\xul.dll+12705|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+12237|C:\Program Files\Mozilla Firefox\xul.dll+9cdfc1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.467{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.467{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.467{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.467{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.463{45AAC21C-ED35-63D0-7E00-00000000BA02}12364912C:\Windows\system32\csrss.exe{45AAC21C-FE36-63D0-CF03-00000000BA02}6108C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000080073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.463{45AAC21C-F98D-63D0-3003-00000000BA02}78123648C:\Program Files\Mozilla Firefox\firefox.exe{45AAC21C-FE36-63D0-CF03-00000000BA02}6108C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+ac12|C:\Program Files\Mozilla Firefox\firefox.exe+6673|C:\Program Files\Mozilla Firefox\xul.dll+7a8fbe|C:\Program Files\Mozilla Firefox\xul.dll+9e365b|C:\Program Files\Mozilla Firefox\xul.dll+9e1625|C:\Program Files\Mozilla Firefox\xul.dll+9e934e|C:\Program Files\Mozilla Firefox\xul.dll+82fb43|C:\Program Files\Mozilla Firefox\xul.dll+17e59b8|C:\Program Files\Mozilla Firefox\xul.dll+17d1b8f|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+1f57e|C:\Program Files\Mozilla Firefox\xul.dll+833d37|C:\Program Files\Mozilla Firefox\nss3.dll+7318c|C:\Program Files\Mozilla Firefox\nss3.dll+885b1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000080072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.465{45AAC21C-FE36-63D0-CF03-00000000BA02}6108C:\Program Files\Mozilla Firefox\firefox.exe109.0FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="7812.13.637483164\1176291868" -parentBuildID 20230112150232 -sandboxingKind 1 -prefsHandle 4428 -prefMapHandle 4444 -prefsLen 31804 -prefMapSize 234634 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a180f080-0679-40a4-a65a-fef0591a9215} 7812 "\\.\pipe\gecko-crash-server-pipe.7812" 5008 27865439e58 utilityC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{45AAC21C-ED4C-63D0-BD09-0A0000000000}0xa09bd2LowMD5=66A6B001D806D3117BBA41DD55C08DE0,SHA256=0FC5FD25E5CB032AF0E867B74AD8FCB3A0F5803F3C661E398D5A03448C5CA946,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x800000000000000080071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.463{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.463{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.463{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.459{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.459{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.459{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.455{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.455{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.455{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.455{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.455{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.455{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.455{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.455{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.455{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.455{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.455{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.455{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.455{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.451{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.451{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.451{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.451{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.451{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.451{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.451{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.435{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.435{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.435{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.435{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.435{45AAC21C-ED35-63D0-7E00-00000000BA02}12364912C:\Windows\system32\csrss.exe{45AAC21C-FE36-63D0-CE03-00000000BA02}3640C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000080040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.435{45AAC21C-F98D-63D0-3003-00000000BA02}78123648C:\Program Files\Mozilla Firefox\firefox.exe{45AAC21C-FE36-63D0-CE03-00000000BA02}3640C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+ac12|C:\Program Files\Mozilla Firefox\firefox.exe+6673|C:\Program Files\Mozilla Firefox\xul.dll+7a8fbe|C:\Program Files\Mozilla Firefox\xul.dll+9e365b|C:\Program Files\Mozilla Firefox\xul.dll+9e1625|C:\Program Files\Mozilla Firefox\xul.dll+9e934e|C:\Program Files\Mozilla Firefox\xul.dll+82fb43|C:\Program Files\Mozilla Firefox\xul.dll+17e59b8|C:\Program Files\Mozilla Firefox\xul.dll+17d1c3b|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+1f57e|C:\Program Files\Mozilla Firefox\xul.dll+833d37|C:\Program Files\Mozilla Firefox\nss3.dll+7318c|C:\Program Files\Mozilla Firefox\nss3.dll+885b1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000080039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.435{45AAC21C-FE36-63D0-CE03-00000000BA02}3640C:\Program Files\Mozilla Firefox\firefox.exe109.0FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="7812.12.669160782\1744355161" -parentBuildID 20230112150232 -prefsHandle 4260 -prefMapHandle 4284 -prefsLen 31804 -prefMapSize 234634 -appDir "C:\Program Files\Mozilla Firefox\browser" - {25999159-2c61-4c43-b348-fe2f86dcedd6} 7812 "\\.\pipe\gecko-crash-server-pipe.7812" 4568 27865088b58 rddC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{45AAC21C-ED4C-63D0-BD09-0A0000000000}0xa09bd2LowMD5=66A6B001D806D3117BBA41DD55C08DE0,SHA256=0FC5FD25E5CB032AF0E867B74AD8FCB3A0F5803F3C661E398D5A03448C5CA946,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x800000000000000080038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.431{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.431{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.431{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.431{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.431{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.431{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.431{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.431{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.431{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.431{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.431{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.431{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.427{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.427{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.427{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.427{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.427{45AAC21C-F98D-63D0-3003-00000000BA02}78126328C:\Program Files\Mozilla Firefox\firefox.exe{45AAC21C-F998-63D0-3F03-00000000BA02}6856C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+269b6|C:\Program Files\Mozilla Firefox\xul.dll+e8dca7|C:\Program Files\Mozilla Firefox\xul.dll+e8e1a7|C:\Program Files\Mozilla Firefox\xul.dll+831d2a|C:\Program Files\Mozilla Firefox\xul.dll+1a94a5b|C:\Program Files\Mozilla Firefox\xul.dll+1a9651a|C:\Program Files\Mozilla Firefox\xul.dll+17e5104|C:\Program Files\Mozilla Firefox\xul.dll+1ac0339|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+1f57e|C:\Program Files\Mozilla Firefox\xul.dll+16d888|C:\Program Files\Mozilla Firefox\xul.dll+16c717|C:\Program Files\Mozilla Firefox\xul.dll+46b6cd1|C:\Program Files\Mozilla Firefox\xul.dll+472a2ec|C:\Program Files\Mozilla Firefox\xul.dll+472b10d|C:\Program Files\Mozilla Firefox\xul.dll+20599f2|C:\Program Files\Mozilla Firefox\firefox.exe+1e99e|C:\Program Files\Mozilla Firefox\firefox.exe+2c9f8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.427{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.427{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.427{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.427{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.427{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.427{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.427{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.427{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.427{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.427{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x800000000000000080011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-CreatePipe2023-01-25 10:02:30.423{45AAC21C-F98D-63D0-3003-00000000BA02}7812\chrome.7812.13.63748316C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000080010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-CreatePipe2023-01-25 10:02:30.423{45AAC21C-F98D-63D0-3003-00000000BA02}7812\chrome.7812.12.66916078C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000080009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.371{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ilosieif.default-release\protections.sqlite-journalMD5=15A600CE5115DF9461472E71F142EBD9,SHA256=BFD6445E71B67374BB3EFA5A2A618D056F3D0D6EED0788A0F6845586A355762E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.347{45AAC21C-F98D-63D0-3003-00000000BA02}78126328C:\Program Files\Mozilla Firefox\firefox.exe{45AAC21C-F990-63D0-3703-00000000BA02}5072C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+269b6|C:\Program Files\Mozilla Firefox\xul.dll+e8dca7|C:\Program Files\Mozilla Firefox\xul.dll+e8e1a7|C:\Program Files\Mozilla Firefox\xul.dll+831d2a|C:\Program Files\Mozilla Firefox\xul.dll+1a94a5b|C:\Program Files\Mozilla Firefox\xul.dll+1a9651a|C:\Program Files\Mozilla Firefox\xul.dll+17e5104|C:\Program Files\Mozilla Firefox\xul.dll+1ac0339|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+1f57e|C:\Program Files\Mozilla Firefox\xul.dll+16d888|C:\Program Files\Mozilla Firefox\xul.dll+16c717|C:\Program Files\Mozilla Firefox\xul.dll+46b6cd1|C:\Program Files\Mozilla Firefox\xul.dll+472a2ec|C:\Program Files\Mozilla Firefox\xul.dll+472b10d|C:\Program Files\Mozilla Firefox\xul.dll+20599f2|C:\Program Files\Mozilla Firefox\firefox.exe+1e99e|C:\Program Files\Mozilla Firefox\firefox.exe+2c9f8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.339{45AAC21C-ED0A-63D0-1200-00000000BA02}4081692C:\Windows\system32\svchost.exe{45AAC21C-F99C-63D0-4103-00000000BA02}4940C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.302{45AAC21C-F98D-63D0-3003-00000000BA02}78126328C:\Program Files\Mozilla Firefox\firefox.exe{45AAC21C-F990-63D0-3603-00000000BA02}7836C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+269b6|C:\Program Files\Mozilla Firefox\xul.dll+e8dca7|C:\Program Files\Mozilla Firefox\xul.dll+e8e1a7|C:\Program Files\Mozilla Firefox\xul.dll+831d2a|C:\Program Files\Mozilla Firefox\xul.dll+1a94a5b|C:\Program Files\Mozilla Firefox\xul.dll+1a9651a|C:\Program Files\Mozilla Firefox\xul.dll+17e5104|C:\Program Files\Mozilla Firefox\xul.dll+1ac0339|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+1f57e|C:\Program Files\Mozilla Firefox\xul.dll+16d888|C:\Program Files\Mozilla Firefox\xul.dll+16c717|C:\Program Files\Mozilla Firefox\xul.dll+46b6cd1|C:\Program Files\Mozilla Firefox\xul.dll+472a2ec|C:\Program Files\Mozilla Firefox\xul.dll+472b10d|C:\Program Files\Mozilla Firefox\xul.dll+20599f2|C:\Program Files\Mozilla Firefox\firefox.exe+1e99e|C:\Program Files\Mozilla Firefox\firefox.exe+2c9f8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000080005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.201{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ilosieif.default-release\formhistory.sqlite-journalMD5=5C6C3A5B1CBC8660401EC252E6306D16,SHA256=2F80F2AE7C57096F66C0CC3DB153B8EFC63D54210C0D480F002EFB8657C50BB0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000080004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:27.536{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local51176- 23542300x800000000000000036711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:31.799{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66BB51344D58274972309E961EE18E33,SHA256=1E624937A21BBC26733D796F88813446E71434B3A0221F445A403F4F5A1CA24A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:31.987{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC19CD0FCFDC14A523CAA4EC95CE1BD1,SHA256=8DB9540B4C366BF2A79FAF5E7317F40BCF539FB356972D94E05C14E98F19E03D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000080131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.236{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local62244-false142.250.190.3ord37s32-in-f3.1e100.net443https 354300x800000000000000080130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.077{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49499-false69.147.92.11e1.ycpi.vip.dca.yahoo.com443https 354300x800000000000000080129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:29.996{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local64143-false142.250.191.194ord38s31-in-f2.1e100.net443https 354300x800000000000000080128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:29.996{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local54161- 354300x800000000000000080127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:29.993{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local64142- 354300x800000000000000080126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:29.972{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49996-false172.217.2.35ord37s52-in-f3.1e100.net443https 354300x800000000000000080125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:29.969{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local54796- 354300x800000000000000080124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:29.968{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local49201- 354300x800000000000000080123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:29.964{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local49995- 354300x800000000000000080122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:29.961{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local54756- 354300x800000000000000080121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:29.957{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local63340- 23542300x800000000000000080120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:31.494{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=125B914277FB838785D4029DCD72E422,SHA256=3D1633122E6DAFEF77E86CE93888EC72EE962DD2CAE9FE68EA0A5FFDCFFC6A0B,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000080119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.642{45AAC21C-F98D-63D0-3003-00000000BA02}7812plus.l.google.com02607:f8b0:4009:817::200e;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000080118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.641{45AAC21C-F98D-63D0-3003-00000000BA02}7812plus.l.google.com0172.217.1.110;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000080117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.640{45AAC21C-F98D-63D0-3003-00000000BA02}7812apis.google.com0type: 5 plus.l.google.com;::ffff:172.217.1.110;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000080116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.076{45AAC21C-F98D-63D0-3003-00000000BA02}7812edge.gycpi.b.yahoodns.net02001:4998:14:800::1001;2001:4998:14:800::1000;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000080115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.074{45AAC21C-F98D-63D0-3003-00000000BA02}7812edge.gycpi.b.yahoodns.net069.147.92.12;69.147.92.11;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000080114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.073{45AAC21C-F98D-63D0-3003-00000000BA02}7812beap-bc.yahoo.com0type: 5 edge.gycpi.b.yahoodns.net;69.147.92.11;69.147.92.12;C:\Program Files\Mozilla Firefox\firefox.exe 354300x800000000000000080113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:29.788{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local56654- 10341000x800000000000000080112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:31.071{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FE36-63D0-CF03-00000000BA02}6108C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:31.070{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FE36-63D0-CF03-00000000BA02}6108C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:31.070{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FE36-63D0-CF03-00000000BA02}6108C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:31.070{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FE36-63D0-CF03-00000000BA02}6108C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:31.069{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FE36-63D0-CE03-00000000BA02}3640C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:31.069{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FE36-63D0-CE03-00000000BA02}3640C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:31.068{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FE36-63D0-CE03-00000000BA02}3640C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:31.068{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FE36-63D0-CE03-00000000BA02}3640C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000080104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:28.539{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local64107- 10341000x800000000000000036726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:32.908{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FE38-63D0-8C02-00000000BB02}1456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:32.908{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:32.908{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:32.908{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:32.908{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:32.908{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:32.908{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:32.908{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:32.908{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:32.908{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:32.908{72106695-ED07-63D0-0500-00000000BB02}4082644C:\Windows\system32\csrss.exe{72106695-FE38-63D0-8C02-00000000BB02}1456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:32.908{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FE38-63D0-8C02-00000000BB02}1456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:32.909{72106695-FE38-63D0-8C02-00000000BB02}1456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:32.877{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=827F36FF14A2303C2593922094A12C23,SHA256=1BD5807B0866BF9580C27CC669AF98D2C8B739DA468A95222DF288EE8DFD27D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:32.716{45AAC21C-ED0A-63D0-1200-00000000BA02}4081692C:\Windows\system32\svchost.exe{45AAC21C-F99D-63D0-4203-00000000BA02}8108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000036712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:29.055{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50574-false10.0.1.12-8000- 22542200x800000000000000080154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.841{45AAC21C-F98D-63D0-3003-00000000BA02}7812play.google.com02607:f8b0:4009:809::200e;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000080153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.839{45AAC21C-F98D-63D0-3003-00000000BA02}7812play.google.com0172.217.0.174;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000080152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.838{45AAC21C-F98D-63D0-3003-00000000BA02}7812play.google.com0::ffff:172.217.0.174;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000080151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:32.380{45AAC21C-ED5C-63D0-A400-00000000BA02}53205776C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE36-63D0-CE03-00000000BA02}3640C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D003D0) 10341000x800000000000000080150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:32.380{45AAC21C-ED5C-63D0-A400-00000000BA02}53205776C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE36-63D0-CE03-00000000BA02}3640C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D003D0) 10341000x800000000000000080149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:32.380{45AAC21C-ED5C-63D0-A400-00000000BA02}53205776C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE36-63D0-CE03-00000000BA02}3640C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D003D0) 354300x800000000000000080148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.832{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local56889-false172.217.0.174ord38s42-in-f14.1e100.net443https 354300x800000000000000080147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.831{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49500-false142.251.32.10ord38s33-in-f10.1e100.net443https 354300x800000000000000080146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.830{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local55288- 354300x800000000000000080145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.829{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local55003- 354300x800000000000000080144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.827{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local56888- 354300x800000000000000080143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.813{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local62314- 354300x800000000000000080142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.811{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53412- 354300x800000000000000080141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.801{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local65356-false142.250.191.162ord38s30-in-f2.1e100.net443https 354300x800000000000000080140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.801{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local56395- 354300x800000000000000080139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.799{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local65355- 10341000x800000000000000080138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:32.304{45AAC21C-F98D-63D0-3003-00000000BA02}78126328C:\Program Files\Mozilla Firefox\firefox.exe{45AAC21C-F99C-63D0-4103-00000000BA02}4940C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+269b6|C:\Program Files\Mozilla Firefox\xul.dll+e8dca7|C:\Program Files\Mozilla Firefox\xul.dll+e8e1a7|C:\Program Files\Mozilla Firefox\xul.dll+831d2a|C:\Program Files\Mozilla Firefox\xul.dll+1a94a5b|C:\Program Files\Mozilla Firefox\xul.dll+1a9651a|C:\Program Files\Mozilla Firefox\xul.dll+17e5104|C:\Program Files\Mozilla Firefox\xul.dll+1ac0339|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+1f57e|C:\Program Files\Mozilla Firefox\xul.dll+16d888|C:\Program Files\Mozilla Firefox\xul.dll+16c717|C:\Program Files\Mozilla Firefox\xul.dll+46b6cd1|C:\Program Files\Mozilla Firefox\xul.dll+472a2ec|C:\Program Files\Mozilla Firefox\xul.dll+472b10d|C:\Program Files\Mozilla Firefox\xul.dll+20599f2|C:\Program Files\Mozilla Firefox\firefox.exe+1e99e|C:\Program Files\Mozilla Firefox\firefox.exe+2c9f8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:32.295{45AAC21C-F98D-63D0-3003-00000000BA02}78126328C:\Program Files\Mozilla Firefox\firefox.exe{45AAC21C-F99D-63D0-4203-00000000BA02}8108C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+269b6|C:\Program Files\Mozilla Firefox\xul.dll+e8dca7|C:\Program Files\Mozilla Firefox\xul.dll+e87879|C:\Program Files\Mozilla Firefox\xul.dll+e87711|C:\Program Files\Mozilla Firefox\xul.dll+e74cf8|C:\Program Files\Mozilla Firefox\xul.dll+44a1f0e|C:\Program Files\Mozilla Firefox\xul.dll+24f46b8|C:\Program Files\Mozilla Firefox\xul.dll+9a51a2|C:\Program Files\Mozilla Firefox\xul.dll+9591b1|C:\Program Files\Mozilla Firefox\xul.dll+16dd7b|C:\Program Files\Mozilla Firefox\xul.dll+9a8a05|C:\Program Files\Mozilla Firefox\xul.dll+963def|C:\Program Files\Mozilla Firefox\xul.dll+967031|C:\Program Files\Mozilla Firefox\xul.dll+965c9d|C:\Program Files\Mozilla Firefox\xul.dll+964e11|C:\Program Files\Mozilla Firefox\xul.dll+97030f|C:\Program Files\Mozilla Firefox\xul.dll+89b81d|C:\Program Files\Mozilla Firefox\xul.dll+8162ff|C:\Program Files\Mozilla Firefox\xul.dll+1a94a5b|C:\Program Files\Mozilla Firefox\xul.dll+1a93e85|C:\Program Files\Mozilla Firefox\xul.dll+1a968e2|C:\Program Files\Mozilla Firefox\xul.dll+17e5104 23542300x800000000000000080136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:32.075{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ilosieif.default-release\permissions.sqlite-journalMD5=D78F717311E702484AE051F35E10F2F5,SHA256=718205A41D482D62466C3B14DEB7C2F456173C3C65F1A4817024EEDBDCAC9B9B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000080135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.632{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local62246-false172.217.1.110mia09s17-in-f14.1e100.net443https 354300x800000000000000080134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.631{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local49281- 354300x800000000000000080133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:30.560{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local62245-false142.250.190.46ord37s33-in-f14.1e100.net443https 23542300x800000000000000036728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:33.974{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AA5B3E87977E6C42AB2FE374BAD2EFA,SHA256=B62281D297B8F5B1D4958704362FD19A3E770D67BE511FB2ABD8A4AE8E9E910A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:33.974{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D39298A1B72EC3B61277C76888C076EF,SHA256=9550A5B96DBE500B4324455716644D69D9B817D2A72872A25E82693C5FA023AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:33.773{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=669D6178686BDA4D605BD65119FCA0DA,SHA256=41052E257BF740F132A077F512CBCA276D75983AF8639A47EC790962D778F260,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:33.729{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ilosieif.default-release\permissions.sqlite-journalMD5=9E2DA838495EE1618B8F7D85EF57D663,SHA256=9046C68C078283920335EDB549F56DDBBE2659B7C9742F6D2EDDE33F34DE9F24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:33.564{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D7A499330CE0D28EDF419B5BFBF9005,SHA256=DA80F809CB0C9B3ECA02F0733C77FE8109CD276FF75E59C99924D861D8A5954A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000080224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:31.994{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49504-false13.107.237.40-443https 354300x800000000000000080223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:31.991{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49503-false13.107.237.40-443https 354300x800000000000000080222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:31.975{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local49753- 354300x800000000000000080221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:31.973{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local52904- 354300x800000000000000080220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:31.971{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53228- 22542200x800000000000000080219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:31.985{45AAC21C-F98D-63D0-3003-00000000BA02}7812part-0012.t-0009.fdv2-t-msedge.net02620:1ec:4f:1::40;2620:1ec:4e:1::40;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000080218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:31.984{45AAC21C-F98D-63D0-3003-00000000BA02}7812js.monitor.azure.com0type: 5 aijscdn2.azureedge.net;type: 5 aijscdn2.afd.azureedge.net;type: 5 firstparty-azurefd-prod.trafficmanager.net;type: 5 shed.dual-low.part-0012.t-0009.fdv2-t-msedge.net;type: 5 part-0012.t-0009.fdv2-t-msedge.net;::ffff:13.107.237.40;::ffff:13.107.238.40;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000080217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:31.984{45AAC21C-F98D-63D0-3003-00000000BA02}7812part-0012.t-0009.fdv2-t-msedge.net013.107.238.40;13.107.237.40;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000080216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:31.800{45AAC21C-F98D-63D0-3003-00000000BA02}7812e13636.dscb.akamaiedge.net02600:141f:4000:285::3544;2600:141f:4000:284::3544;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000080215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:31.799{45AAC21C-F98D-63D0-3003-00000000BA02}7812e13636.dscb.akamaiedge.net023.61.192.183;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000080214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:33.401{45AAC21C-ED0A-63D0-1200-00000000BA02}4081692C:\Windows\system32\svchost.exe{45AAC21C-FE39-63D0-D003-00000000BA02}4868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:33.397{45AAC21C-ED0A-63D0-1200-00000000BA02}4081692C:\Windows\system32\svchost.exe{45AAC21C-FE39-63D0-D003-00000000BA02}4868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:33.389{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-FE39-63D0-D003-00000000BA02}4868C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:33.389{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-FE39-63D0-D003-00000000BA02}4868C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:33.383{45AAC21C-ED5C-63D0-A400-00000000BA02}53205776C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE36-63D0-CF03-00000000BA02}6108C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D003D0) 10341000x800000000000000080209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:33.383{45AAC21C-ED5C-63D0-A400-00000000BA02}53205776C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE36-63D0-CF03-00000000BA02}6108C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D003D0) 10341000x800000000000000080208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:33.383{45AAC21C-ED5C-63D0-A400-00000000BA02}53205776C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE36-63D0-CF03-00000000BA02}6108C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D003D0) 18141800x800000000000000080207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-ConnectPipe2023-01-25 10:02:33.377{45AAC21C-F98D-63D0-3003-00000000BA02}7812\LOCAL\cubeb-pipe-7812-10C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000080206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-CreatePipe2023-01-25 10:02:33.377{45AAC21C-F98D-63D0-3003-00000000BA02}7812\LOCAL\cubeb-pipe-7812-10C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000080205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:33.353{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-FE39-63D0-D003-00000000BA02}4868C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000080204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-ConnectPipe2023-01-25 10:02:33.353{45AAC21C-F98D-63D0-3003-00000000BA02}7812\gecko.7812.6224.3116484907504579597C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000080203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-CreatePipe2023-01-25 10:02:33.353{45AAC21C-F98D-63D0-3003-00000000BA02}7812\gecko.7812.6224.3116484907504579597C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000080202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:33.349{45AAC21C-F98D-63D0-3003-00000000BA02}78126224C:\Program Files\Mozilla Firefox\firefox.exe{45AAC21C-FE39-63D0-D003-00000000BA02}4868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1ab6bf1|C:\Program Files\Mozilla Firefox\xul.dll+1ab4ec7|C:\Program Files\Mozilla Firefox\xul.dll+12705|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+12237|C:\Program Files\Mozilla Firefox\xul.dll+9cdfc1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000080201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-ConnectPipe2023-01-25 10:02:33.349{45AAC21C-F98D-63D0-3003-00000000BA02}7812\chrome.7812.14.199266117C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000080200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:33.341{45AAC21C-F98D-63D0-3003-00000000BA02}78126920C:\Program Files\Mozilla Firefox\firefox.exe{45AAC21C-FE39-63D0-D003-00000000BA02}4868C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+10a7bb|C:\Program Files\Mozilla Firefox\xul.dll+130eca0|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000080199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-ConnectPipe2023-01-25 10:02:33.341{45AAC21C-F98D-63D0-3003-00000000BA02}7812\gecko-crash-server-pipe.7812C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000080198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:33.319{45AAC21C-F98D-63D0-3003-00000000BA02}78126328C:\Program Files\Mozilla Firefox\firefox.exe{45AAC21C-FE39-63D0-D003-00000000BA02}4868C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+269b6|C:\Program Files\Mozilla Firefox\xul.dll+e8dca7|C:\Program Files\Mozilla Firefox\xul.dll+e87879|C:\Program Files\Mozilla Firefox\xul.dll+e77459|C:\Program Files\Mozilla Firefox\xul.dll+e86462|C:\Program Files\Mozilla Firefox\xul.dll+ebac4|C:\Program Files\Mozilla Firefox\xul.dll+1a94a5b|C:\Program Files\Mozilla Firefox\xul.dll+1a93e85|C:\Program Files\Mozilla Firefox\xul.dll+1a968e2|C:\Program Files\Mozilla Firefox\xul.dll+17e5104|C:\Program Files\Mozilla Firefox\xul.dll+1ac03d9|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+1f57e|C:\Program Files\Mozilla Firefox\xul.dll+16d888|C:\Program Files\Mozilla Firefox\xul.dll+16c717|C:\Program Files\Mozilla Firefox\xul.dll+46b6cd1|C:\Program Files\Mozilla Firefox\xul.dll+472a2ec|C:\Program Files\Mozilla Firefox\xul.dll+472b10d|C:\Program Files\Mozilla Firefox\xul.dll+20599f2|C:\Program Files\Mozilla Firefox\firefox.exe+1e99e|C:\Program Files\Mozilla Firefox\firefox.exe+2c9f8|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000080197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:33.318{45AAC21C-F98D-63D0-3003-00000000BA02}78126224C:\Program Files\Mozilla Firefox\firefox.exe{45AAC21C-FE39-63D0-D003-00000000BA02}4868C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9e834a|C:\Program Files\Mozilla Firefox\xul.dll+ebac4|C:\Program Files\Mozilla Firefox\xul.dll+2581e76|C:\Program Files\Mozilla Firefox\xul.dll+1ab508d|C:\Program Files\Mozilla Firefox\xul.dll+12705|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+12237|C:\Program Files\Mozilla Firefox\xul.dll+9cdfc1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:33.311{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:33.311{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:33.311{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:33.311{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:33.311{45AAC21C-ED35-63D0-7E00-00000000BA02}12364912C:\Windows\system32\csrss.exe{45AAC21C-FE39-63D0-D003-00000000BA02}4868C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000080191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:33.310{45AAC21C-F98D-63D0-3003-00000000BA02}78123648C:\Program Files\Mozilla Firefox\firefox.exe{45AAC21C-FE39-63D0-D003-00000000BA02}4868C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+ac12|C:\Program Files\Mozilla Firefox\firefox.exe+6673|C:\Program Files\Mozilla Firefox\xul.dll+7a8fbe|C:\Program Files\Mozilla Firefox\xul.dll+9e365b|C:\Program Files\Mozilla Firefox\xul.dll+9e1625|C:\Program Files\Mozilla Firefox\xul.dll+9e934e|C:\Program Files\Mozilla Firefox\xul.dll+82fb43|C:\Program Files\Mozilla Firefox\xul.dll+17e59b8|C:\Program Files\Mozilla Firefox\xul.dll+17d1c3b|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+1f57e|C:\Program Files\Mozilla Firefox\xul.dll+833d37|C:\Program Files\Mozilla Firefox\nss3.dll+7318c|C:\Program Files\Mozilla Firefox\nss3.dll+885b1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000080190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:33.310{45AAC21C-FE39-63D0-D003-00000000BA02}4868C:\Program Files\Mozilla Firefox\firefox.exe109.0FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="7812.14.1992661178\1742326128" -childID 11 -isForBrowser -prefsHandle 8184 -prefMapHandle 8412 -prefsLen 31804 -prefMapSize 234634 -jsInitHandle 1112 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20230112150232 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc16a1a5-6dfd-41b8-941f-3968f5c83ee7} 7812 "\\.\pipe\gecko-crash-server-pipe.7812" 3756 27869334858 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{45AAC21C-ED4C-63D0-BD09-0A0000000000}0xa09bd2LowMD5=66A6B001D806D3117BBA41DD55C08DE0,SHA256=0FC5FD25E5CB032AF0E867B74AD8FCB3A0F5803F3C661E398D5A03448C5CA946,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 354300x800000000000000080189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:31.798{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49502-false23.61.192.183a23-61-192-183.deploy.static.akamaitechnologies.com443https 354300x800000000000000080188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:31.789{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local52915- 354300x800000000000000080187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:31.789{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local55170- 354300x800000000000000080186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:31.786{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local56316- 354300x800000000000000080185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:31.737{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49501-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000080184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:33.309{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:33.309{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:33.308{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:33.308{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:33.308{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:33.308{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:33.307{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:33.307{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:33.307{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:33.307{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:33.307{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:33.306{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:33.306{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:33.306{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:33.306{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:33.306{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:33.305{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:33.305{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:33.305{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:33.305{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:33.305{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:33.304{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:33.304{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:33.300{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:33.300{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:33.300{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x800000000000000080158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-CreatePipe2023-01-25 10:02:33.300{45AAC21C-F98D-63D0-3003-00000000BA02}7812\chrome.7812.14.199266117C:\Program Files\Mozilla Firefox\firefox.exe 354300x800000000000000080157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:31.603{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local63457- 23542300x800000000000000080156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:33.025{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A7ACADD9BF9AA77430DB8211DB0F425,SHA256=D8634310D218E2F14251C832221EBCF2E4D225DE6DA35D83329929AE60229F2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:34.798{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5DC5D75E56C7F315AD9F92D057395F8,SHA256=7F091DD9A31057C28062AEA0711086C318391E44D5AFA8E93722EBF344A67312,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000080248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:32.747{45AAC21C-F98D-63D0-3003-00000000BA02}7812dual-a-0001.a-msedge.net013.107.21.200;204.79.197.200;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000080247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:34.382{45AAC21C-ED5C-63D0-A400-00000000BA02}53205776C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE39-63D0-D003-00000000BA02}4868C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D003D0) 10341000x800000000000000080246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:34.382{45AAC21C-ED5C-63D0-A400-00000000BA02}53205776C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE39-63D0-D003-00000000BA02}4868C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D003D0) 10341000x800000000000000080245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:34.382{45AAC21C-ED5C-63D0-A400-00000000BA02}53205776C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE39-63D0-D003-00000000BA02}4868C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D003D0) 354300x800000000000000080244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:32.748{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49506-false204.79.197.200a-0001.a-msedge.net443https 354300x800000000000000080243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:32.737{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local55968- 354300x800000000000000080242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:32.737{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53315- 354300x800000000000000080241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:32.735{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53091- 10341000x800000000000000080240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:34.134{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE39-63D0-D003-00000000BA02}4868C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000080239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:34.134{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE39-63D0-D003-00000000BA02}4868C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000080238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:34.134{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE39-63D0-D003-00000000BA02}4868C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000080237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:34.073{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FE39-63D0-D003-00000000BA02}4868C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:34.069{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FE39-63D0-D003-00000000BA02}4868C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:34.069{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FE39-63D0-D003-00000000BA02}4868C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:34.069{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FE39-63D0-D003-00000000BA02}4868C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000080233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:32.673{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49505-false20.110.81.91-443https 354300x800000000000000080232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:32.651{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local50570- 354300x800000000000000080231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:32.644{45AAC21C-ED0A-63D0-1500-00000000BA02}1152C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse127.0.0.1-62240-false127.0.0.1-53domain 354300x800000000000000080230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:32.637{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-62240- 354300x800000000000000080229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:32.637{45AAC21C-ED0A-63D0-1500-00000000BA02}1152C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue7f00:1:0:0:98e0:c3fc:ad9:ffff-62240-true7f00:1:0:0:0:0:0:0-53domain 354300x800000000000000080228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:32.611{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local51163- 23542300x800000000000000080261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:35.961{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ilosieif.default-release\storage\default\https+++www.google.com\ls\data.sqlite-journalMD5=A8DFA7B24EABBD2297EB755F6E5EC164,SHA256=BA4EBE2CAC9285BEE3B92661D157688C5FD27BBE34EBBB99AB20E1AD901B8E22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:35.949{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ilosieif.default-release\storage\default\https+++www.google.com\ls\usageMD5=B3B3BA3A7B4244D7BB4977DBECC7FC59,SHA256=06A52E928E36841F7EB4C94B01ACC90C539E37D6D4B5E56587FDADAD7092EE04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:35.814{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B6CD7B53FB642239724C800A1374DCE,SHA256=4D104A13D315A927F61B404FF69B7B8235568DEB65C4079B4E4EBBD374E40C5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:35.057{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40D7345533DD25F0945ADCCAE0A12199,SHA256=13E3E179A873EAA5BB65C7CCA9CE20A0ED98B8473790D9B0417646E72ACBA321,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000080258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:33.491{45AAC21C-F98D-63D0-3003-00000000BA02}7812onedscolprdeus06.eastus.cloudapp.azure.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000080257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:33.490{45AAC21C-F98D-63D0-3003-00000000BA02}7812onedscolprdeus06.eastus.cloudapp.azure.com020.42.73.25;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000080256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:32.748{45AAC21C-F98D-63D0-3003-00000000BA02}7812dual-a-0001.a-msedge.net02620:1ec:c11::200;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000080255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:35.165{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\ilosieif.default-release\cache2\doomed\32097MD5=CA162540F13096E0B6308FDA95FEEEBC,SHA256=D965E7186A6BB3039E251823CC0A93F47DEB9608B976711896BDF616BBDEFD53,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000080254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:33.493{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49507-false20.42.73.25-443https 354300x800000000000000080253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:33.492{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49508-false20.42.73.25-443https 354300x800000000000000080252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:33.480{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local52422- 354300x800000000000000080251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:33.480{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local56870- 354300x800000000000000080250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:33.477{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local55140- 23542300x800000000000000080264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:36.821{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8BAE9493E9A32799AD80AA1F375C17F,SHA256=05C24E06DBFAD3836EC4280CCEB7A6B412F1DA1761A736D9B4CE25E334D0F546,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:34.063{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50575-false10.0.1.12-8000- 23542300x800000000000000036730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:36.132{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CCF99B8F38B1085131452FA9FC74C5F,SHA256=68AEA8D69587F962EFB3E6DADB98F6E570FFF170C7BA563A431E41D9C4C3505F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000080263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:33.611{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local62390- 354300x800000000000000080262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:33.611{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local56289- 23542300x800000000000000080270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:37.899{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ilosieif.default-release\storage\default\https+++learn.microsoft.com\ls\data.sqlite-journalMD5=C5FD16C32D3DB77E6C8765434DA313D0,SHA256=DD2F4C54AEAF325AC2C14608A54B4A2AAFE7E6780C112C25F4890EEDCC45E421,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:37.887{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ilosieif.default-release\storage\default\https+++learn.microsoft.com\ls\data.sqlite-journalMD5=E3678B988CFE1258448F30B6B6BD4E49,SHA256=FB22C023ED81E8ABB1539EDA22E12525CB58F1FD8FDBC736B3F1A6E7855C54A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:37.879{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ilosieif.default-release\storage\default\https+++learn.microsoft.com\ls\data.sqlite-journalMD5=43FC611405B16EC66C012DA42118B1E8,SHA256=3CBBA1982B378A25EB1D801184B699517D9A2F6883082068225E3DF1EA91EAC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:37.867{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ilosieif.default-release\storage\default\https+++learn.microsoft.com\ls\data.sqlite-journalMD5=6F68521C32C823EC412AE5A3A98D7BA7,SHA256=C60061F118C04083BBAB7EF28292E448080E4C17B0538AE78ABC41ED27D6D703,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:37.831{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50E29F7FCBC28BC0399ABC3E8C1CFC48,SHA256=0ABFA4C4E77FBB639D2A32FEAAC7E33E82D4EF184C32D1F78400524BEB9EC42D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:37.211{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15BDDC9DC8163061D16A35E47B7F0C14,SHA256=AE1FEEC8A79DFD9D121EB0388D40AA32ED010D45F9BFAB00EB61B616940F5415,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000080265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:34.611{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local50566- 23542300x800000000000000080271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:38.852{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C6AC369A7A68F7568188C26655361DE,SHA256=5FB8359F9536C3853835AFC3EBC303B7F9BBAEC16BBED44EC06792795CA9CADF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:38.310{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90D321E8EB43BA951371AD94D68B1609,SHA256=BDA6A0D59D8F6FB31B0CB2022ACE265D44CA6BC11267092EA6D329F444D64109,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:39.870{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FFB62E7E3CF50C0057D6D10A5957EB5,SHA256=144D6CB59AAFC2CB25F94837406258B8243BBE807E3F862C365582339581F1CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:39.407{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3573E02D2CE590EE9859CF1FDE38D2B,SHA256=785D17B47A33870C0B61F701F8E309A1EFC59534C6E2BE8C1D5EA5CD26E5B08E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000080278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:39.593{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ilosieif.default-release\AlternateServices-1.txt2023-01-25 10:02:39.593 23542300x800000000000000080277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:39.593{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ilosieif.default-release\AlternateServices-1.txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000080276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:39.593{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ilosieif.default-release\AlternateServices-1.txt2023-01-25 10:02:39.593 11241100x800000000000000080275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:39.237{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ilosieif.default-release\SiteSecurityServiceState-1.txt2023-01-25 10:02:39.237 23542300x800000000000000080274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:39.237{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ilosieif.default-release\SiteSecurityServiceState-1.txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000080273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:39.237{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ilosieif.default-release\SiteSecurityServiceState-1.txt2023-01-25 10:02:39.237 354300x800000000000000080272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:36.777{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49509-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000080299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:40.998{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1700-00000000BA02}1492C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000080298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:40.989{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1600-00000000BA02}1324C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000080297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:40.977{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1500-00000000BA02}1152C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000080296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:40.972{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1400-00000000BA02}344C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000080295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:40.962{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1300-00000000BA02}364C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000080294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:40.941{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1200-00000000BA02}408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000080293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:40.933{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1100-00000000BA02}704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000080292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:40.902{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1000-00000000BA02}444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000080291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:40.891{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0F00-00000000BA02}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 23542300x800000000000000080290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:40.890{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BC24A526EE227494F79C03ADA33B69F,SHA256=69068F1CC27AD10A6A295228A585A9CCDF98E03F8157AE2E42027E69E55761BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:40.881{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0E00-00000000BA02}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000036752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:40.998{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1C00-00000000BB02}1892C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:40.996{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1A00-00000000BB02}1856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:40.985{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1800-00000000BB02}1732C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:40.984{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1700-00000000BB02}1240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:40.973{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1600-00000000BB02}1192C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:40.953{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1500-00000000BB02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:40.947{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1400-00000000BB02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:40.940{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1300-00000000BB02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:40.935{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1200-00000000BB02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:40.927{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1100-00000000BB02}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:40.922{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1000-00000000BB02}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:40.917{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0F00-00000000BB02}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:40.908{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0E00-00000000BB02}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:40.902{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0D00-00000000BB02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:40.890{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:40.883{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0B00-00000000BB02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:40.880{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0900-00000000BB02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 23542300x800000000000000036735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:40.511{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=639336673CC7328F2DD78767BD542134,SHA256=1C73B40F0550395DE0535F7CDF42C874B725DAE24275D96EBD1BEA30ECC9986A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:40.872{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0D00-00000000BA02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 354300x800000000000000080287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:39.492{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local51162- 10341000x800000000000000080286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:40.864{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0C00-00000000BA02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000080285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:40.811{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000080284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:40.809{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0900-00000000BA02}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 354300x800000000000000080283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:38.450{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local57041- 354300x800000000000000080282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:38.435{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local65456- 354300x800000000000000080281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:37.041{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local51372- 354300x800000000000000080280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:37.041{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local62247- 23542300x800000000000000080314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:41.913{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB4D626DA8BFCEAEE70927EC0769BF8B,SHA256=F920578406414F82B9C0567C9588E05A295C73A9E69F916A207A827EEDE2C290,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:41.980{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D93C4D621321DA177877B1FC0EE622D9,SHA256=D10FEC57BEFE70EC837BD4201AB165ED11DBD144E53559D92EE70DDD6E6BD825,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:41.517{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2E00-00000000BA02}2692C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000080312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:41.512{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000080311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:41.508{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2B00-00000000BA02}2664C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000080310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:41.289{45AAC21C-ED0A-63D0-0D00-00000000BA02}9046848C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2B00-00000000BA02}2664C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:41.289{45AAC21C-ED0A-63D0-0D00-00000000BA02}9046848C:\Windows\system32\svchost.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000080308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:39.509{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49510-false34.117.237.239239.237.117.34.bc.googleusercontent.com443https 10341000x800000000000000080307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:41.035{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000080306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:41.029{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000080305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:41.021{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000080304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:41.014{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2700-00000000BA02}2576C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000080303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:41.012{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2600-00000000BA02}2568C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000080302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:41.005{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2500-00000000BA02}2484C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000080301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:41.003{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED14-63D0-2300-00000000BA02}2340C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000080300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:41.001{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1800-00000000BA02}1992C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000036764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:41.031{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FB5F-63D0-3102-00000000BB02}3068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:41.028{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED83-63D0-8200-00000000BB02}508C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:41.026{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED1B-63D0-6D00-00000000BB02}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:41.024{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:41.023{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-4000-00000000BB02}1980C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:41.021{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-3C00-00000000BB02}2964C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:41.020{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2B00-00000000BB02}2876C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:41.019{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2600-00000000BB02}2596C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:41.017{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2500-00000000BB02}2436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:41.015{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2200-00000000BB02}1172C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:41.010{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000036753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:41.001{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 23542300x800000000000000080326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:42.935{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20783376AAAA7A6AA274D0BE9529F361,SHA256=CF326779AEE8A8DCCDB9E9F63E8930AEA023999E86081B19A69CD0C4DC6AD4FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:42.751{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FE42-63D0-D103-00000000BA02}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:42.747{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:42.747{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:42.747{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:42.747{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:42.747{45AAC21C-ED08-63D0-0500-00000000BA02}420788C:\Windows\system32\csrss.exe{45AAC21C-FE42-63D0-D103-00000000BA02}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000080319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:42.747{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FE42-63D0-D103-00000000BA02}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000080318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:42.748{45AAC21C-FE42-63D0-D103-00000000BA02}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000080317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:39.664{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49511-false34.120.115.102102.115.120.34.bc.googleusercontent.com443https 354300x800000000000000080316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:39.651{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local49775- 354300x800000000000000080315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:39.648{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local51628- 354300x800000000000000036766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:40.012{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50576-false10.0.1.12-8000- 23542300x800000000000000036767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:43.040{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2658F30DADFACD7DCB03EB7C6FD0916A,SHA256=DE8929153EFCAA6B73215034415BB59E1B4F3C81623A20A0205CC1336B915DE9,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000080349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:41.668{45AAC21C-F98D-63D0-3003-00000000BA02}7812e14801.x.akamaiedge.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000080348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:41.667{45AAC21C-F98D-63D0-3003-00000000BA02}7812e14801.x.akamaiedge.net023.32.229.189;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000080347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:41.666{45AAC21C-F98D-63D0-3003-00000000BA02}7812www.homedepot.com0type: 5 www.homedepot.com.edgekey.net;type: 5 e14801.x.akamaiedge.net;::ffff:23.32.229.189;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000080346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:41.659{45AAC21C-F98D-63D0-3003-00000000BA02}7812www-amazon-com.customer.fastly.net02606:2cc0:2::374;2606:2cc0:3::374;2606:2cc0::374;2606:2cc0:1::374;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000080345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:41.658{45AAC21C-F98D-63D0-3003-00000000BA02}7812www-amazon-com.customer.fastly.net0162.219.225.118;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000080344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:41.657{45AAC21C-F98D-63D0-3003-00000000BA02}7812www.amazon.com0type: 5 tp.47cf2c8c9-frontier.amazon.com;type: 5 www-amazon-com.customer.fastly.net;::ffff:162.219.225.118;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000080343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:43.853{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=007EDD293AFBF5221336F7939A12A048,SHA256=CDF31AA74271654D5A9DFCD258C32AC4685F770A0F7FB2522AE9803B168A9EDF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:43.658{45AAC21C-FE43-63D0-D203-00000000BA02}65407328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:43.603{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED5C-63D0-A400-00000000BA02}5320C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:43.541{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3300-00000000BA02}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000080339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:43.536{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3100-00000000BA02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000080338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:43.526{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2F00-00000000BA02}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000080337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:43.418{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FE43-63D0-D203-00000000BA02}6540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:43.414{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:43.414{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:43.414{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:43.414{45AAC21C-ED08-63D0-0500-00000000BA02}420436C:\Windows\system32\csrss.exe{45AAC21C-FE43-63D0-D203-00000000BA02}6540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000080332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:43.414{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:43.414{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FE43-63D0-D203-00000000BA02}6540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000080330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:43.416{45AAC21C-FE43-63D0-D203-00000000BA02}6540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000080329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:41.648{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local62860- 354300x800000000000000080328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:41.648{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local56132- 354300x800000000000000080327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:41.646{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53738- 23542300x800000000000000036768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:44.131{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E6AA54151F6268000C9EDD74C0FCED4,SHA256=88F1E8E676C195780A950288A97B6B6E9D2C3A8CE3DB8672B078750E38E4B26D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:44.862{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\ilosieif.default-release\cache2\doomed\32556MD5=E25A92DD532860F68506A894672848FE,SHA256=3A229B3BCBCCE9D78528C81568409D7768C9FD68AE163A9B7A70E1FFA55B399C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:44.604{45AAC21C-ED0A-63D0-0D00-00000000BA02}9046848C:\Windows\system32\svchost.exe{45AAC21C-F993-63D0-3A03-00000000BA02}5848C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:44.320{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE39-63D0-D003-00000000BA02}4868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000080394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:44.318{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE36-63D0-CF03-00000000BA02}6108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000080393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:44.312{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE36-63D0-CE03-00000000BA02}3640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000080392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:44.305{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99E-63D0-4403-00000000BA02}4716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000080391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:44.302{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4303-00000000BA02}220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000080390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:44.298{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4203-00000000BA02}8108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000080389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:44.296{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F993-63D0-3A03-00000000BA02}5848C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000080388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:44.291{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3403-00000000BA02}8152C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000080387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:44.288{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3303-00000000BA02}5868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000080386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:44.285{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3203-00000000BA02}1380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000080385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:44.276{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3103-00000000BA02}7700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000080384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:44.248{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE44-63D0-D303-00000000BA02}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000080383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:44.248{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE44-63D0-D303-00000000BA02}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000080382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:44.248{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE44-63D0-D303-00000000BA02}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000080381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:44.241{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 23542300x800000000000000080380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:44.223{45AAC21C-ED18-63D0-2C00-00000000BA02}2672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=ED005D6B487E5CA7DBAA4D1E66CD0BFF,SHA256=10C824D83118A8387DE2C0B0446A4E2EDD4E1F6DF841219212EEDA7421B39C22,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:44.214{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000080378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:44.212{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A202-00000000BA02}5720C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000080377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:44.208{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A102-00000000BA02}7492C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 23542300x800000000000000080376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:44.207{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=136F0BA424809FEC99FA8EBB57FE7937,SHA256=C84C2ED4BD111A80CA9A931F1FF6A9066FABC5F3BABBFAC04E8E035F9315713C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:44.202{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F3FF-63D0-5202-00000000BA02}7716C:\Program Files\Process Hacker 2\ProcessHacker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000080374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:44.198{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED93-63D0-C200-00000000BA02}5684C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000080373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:44.162{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000080372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:44.147{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 354300x800000000000000080371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:41.811{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49512-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000080370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:41.658{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local62464- 354300x800000000000000080369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:41.657{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local62623- 10341000x800000000000000080368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:44.108{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000080367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:44.098{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-8E00-00000000BA02}432C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000080366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:44.094{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FE44-63D0-D303-00000000BA02}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:44.092{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:44.092{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:44.092{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:44.092{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:44.091{45AAC21C-ED08-63D0-0500-00000000BA02}420780C:\Windows\system32\csrss.exe{45AAC21C-FE44-63D0-D303-00000000BA02}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000080360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:44.091{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FE44-63D0-D303-00000000BA02}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000080359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:44.091{45AAC21C-FE44-63D0-D303-00000000BA02}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000080358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:44.085{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4D-63D0-8900-00000000BA02}4888C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000080357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:44.078{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED36-63D0-8100-00000000BA02}4176C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000080356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:44.075{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED35-63D0-7F00-00000000BA02}3432C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000080355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:44.073{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED2C-63D0-7B00-00000000BA02}532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000080354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:44.068{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000080353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:44.067{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1B-63D0-4500-00000000BA02}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000080352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:44.062{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-4100-00000000BA02}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000080351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:44.061{45AAC21C-ED5C-63D0-A400-00000000BA02}53205352C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-3800-00000000BA02}3276C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 23542300x800000000000000080350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:44.059{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AA68973FC1E45F9E7336A75AB89C780,SHA256=49F990EE939A0C7C1E012DE3156CCCA8A6999FE3625172B843EF1342A062484A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:45.246{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C2317CEBB20D74E217D2C67A0CF7AC9,SHA256=782E88E3E2D0F50F660E70C5FBAD8E4C1D56F3E4901510170039106809388F02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:45.212{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B2B7DCEBAEA13F31342F6E4C9ECBCC4,SHA256=1521CEFF2AA1769382093747CCE703B643B54BB8A5E6D540975401BB4597AD6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:46.300{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F65B13CB70C57260379F38793FA2ADB,SHA256=673474542E1D87BAE1E47D823D5BA20D07E17D1A2391ADA3292079B193718BD1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:46.505{45AAC21C-FE46-63D0-D403-00000000BA02}30524616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000080409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:46.322{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=226409595E9E36D9707A2EBA039D55FB,SHA256=2120107E457EF0630000873DD9AAC85432A63C5ACFE70923E7AB06D1357551EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:46.249{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FE46-63D0-D403-00000000BA02}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:46.245{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:46.245{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:46.245{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:46.245{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:46.245{45AAC21C-ED08-63D0-0500-00000000BA02}420780C:\Windows\system32\csrss.exe{45AAC21C-FE46-63D0-D403-00000000BA02}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000080402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:46.245{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FE46-63D0-D403-00000000BA02}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000080401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:46.246{45AAC21C-FE46-63D0-D403-00000000BA02}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000080400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:43.709{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local49513-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x800000000000000080399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:43.709{45AAC21C-ED18-63D0-2700-00000000BA02}2576C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local49513-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 23542300x800000000000000036771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:47.397{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9B191D0DDA27C11FB3C0633B439C893,SHA256=49511C69CA0238894A99676F5C8F014E7FDE150A0E217290CFA72F5A92D0610F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:47.965{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FE47-63D0-D603-00000000BA02}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:47.961{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:47.961{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:47.961{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:47.961{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:47.961{45AAC21C-ED08-63D0-0500-00000000BA02}420436C:\Windows\system32\csrss.exe{45AAC21C-FE47-63D0-D603-00000000BA02}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000080422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:47.961{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FE47-63D0-D603-00000000BA02}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000080421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:47.962{45AAC21C-FE47-63D0-D603-00000000BA02}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000080420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:47.537{45AAC21C-FE47-63D0-D503-00000000BA02}61883908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000080419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:47.337{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C953E2678A8E2A1DE21A19180801139C,SHA256=2CE602EAF2BD348F9A27D040C24F07176673992B559F1A98AB0C1D4147F169C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:47.306{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FE47-63D0-D503-00000000BA02}6188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:47.301{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:47.301{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:47.301{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:47.301{45AAC21C-ED08-63D0-0500-00000000BA02}420536C:\Windows\system32\csrss.exe{45AAC21C-FE47-63D0-D503-00000000BA02}6188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000080413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:47.301{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:47.301{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FE47-63D0-D503-00000000BA02}6188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000080411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:47.302{45AAC21C-FE47-63D0-D503-00000000BA02}6188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:48.492{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4000C18FEE5EB66D32273BB92AF03574,SHA256=2897D565B62CA00DA5A02C1484C37499D3DC4F165A23CF62AED944BA37867925,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:48.401{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C7D1DBE63E717C80F7D4F8F6A706339,SHA256=E21B1F2B64C3B2A59D7EDDB993081BF727645E9580BF2239D8C40B130D23AFE1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:48.393{45AAC21C-FE47-63D0-D603-00000000BA02}61725996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:48.281{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE47-63D0-D603-00000000BA02}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000080438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:48.280{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE47-63D0-D603-00000000BA02}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000080437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:48.280{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE47-63D0-D603-00000000BA02}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000080436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:48.277{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE47-63D0-D603-00000000BA02}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000080435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:48.277{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE47-63D0-D603-00000000BA02}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000080434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:48.277{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE47-63D0-D603-00000000BA02}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 354300x800000000000000080433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:45.677{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local49454- 10341000x800000000000000080432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:48.074{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FE47-63D0-D603-00000000BA02}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:48.074{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FE47-63D0-D603-00000000BA02}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:48.074{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FE47-63D0-D603-00000000BA02}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:48.074{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FE47-63D0-D603-00000000BA02}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000036774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:49.596{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=546EC8B8BAE70D1B0D29E0706CC449B3,SHA256=E258886DC698C31A882D58644E96B5B810CA6B048BFE2CDCC03407E701FDC693,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:49.906{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FE49-63D0-D703-00000000BA02}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:49.902{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:49.902{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:49.902{45AAC21C-ED08-63D0-0500-00000000BA02}420436C:\Windows\system32\csrss.exe{45AAC21C-FE49-63D0-D703-00000000BA02}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000080447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:49.902{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:49.902{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:49.902{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FE49-63D0-D703-00000000BA02}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000080444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:49.903{45AAC21C-FE49-63D0-D703-00000000BA02}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000080443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:49.410{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B790F8F5499104CB30B161A3B9A98CF5,SHA256=636E170B263623F879D163AB51DF75184BBE6500E45019E3D32BB8DF521DAE57,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:45.913{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50577-false10.0.1.12-8000- 354300x800000000000000080442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:46.836{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49514-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000036775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:50.685{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=929A80E59BB12041196B4574B40FA1AB,SHA256=DF72F52A1EBC1ADF7E5C067D00A2D835189246C2399553A7AEFF37617DD4A7CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:50.975{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8507B741CEBCB7484192B555EE67B36D,SHA256=C341AA27AF37C5A2903E8F17FFB1BCC416589F06CD586CDC8ED2FE7CBB1C4D15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:50.430{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=731FAF9220547DAEFFEC550DD712FA79,SHA256=5862D7E5481FFEACB34CDB9B2CD59E47042502BA5AA9019D61ABFB8BEF7EC7EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:50.071{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FE49-63D0-D703-00000000BA02}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:50.071{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FE49-63D0-D703-00000000BA02}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:50.071{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FE49-63D0-D703-00000000BA02}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:50.071{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FE49-63D0-D703-00000000BA02}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000036776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:51.767{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E20C0BA9ED700E86512BB59D59ECE63,SHA256=C55D40BB4D1B37DAAFEBB96520C472814D600D7DFE472C65159351D5F740D024,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:51.451{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3703A9B19340AB83B860AE03DCAD6B58,SHA256=B91482D67A6FFE63B7F3DA4EBD757E94CC2EDE27B84E10BAC4EAE6E118E2EF68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:52.853{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80C331175A2530A5D0B4049D35C82FE2,SHA256=D2AF3586DC61BC248B447FB137BF252EB6DC98AE528E2729F7F2CA6D49615301,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:52.468{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED63675F75FAE13E2B32505DBC6D19CC,SHA256=1FB673227C47F385D6CCAC981399E865191155D3469D9ED7B304957F5258B71B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:52.003{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ilosieif.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:52.003{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ilosieif.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=A0301CDDE1B3A2C63C68C5C311A30EEA,SHA256=741BFA0E7E942EF3F0E5D8DD701319E8516D18B5ADB6DFF22E9A7C542509E66D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:53.928{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75E9E0943305475119039C3C092E692F,SHA256=4D4E1BD9CC5CB0B51CF64111A9D15A12F2EAA6178A375E4578F44743428AEFD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:53.492{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1172845C445A34CE788D3CBE91E15EC5,SHA256=ADCBD9CEE3141E1ED30DFF2C40880A92062AA606122DA1EB0DE7B16BA6B9E849,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:54.502{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10E86B68FC781D724C299E1187D6560D,SHA256=ADBBE135014B61145E6163C5D7BC33E6E84D39DB0B565685233C3ABA82FCED67,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:50.995{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50578-false10.0.1.12-8000- 354300x800000000000000080463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:51.850{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49515-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000080465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:55.514{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A35B955B351DF2CC44A2AA1CF2E44F69,SHA256=32853E51AE4A55A2322E02F4A560EF18F107A21BE4D16ECB2B42E55F590BBB94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:55.018{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3A360D4AA933C8790DF06A1E8FAF3ED,SHA256=4221254DE20859346BDF61F30D7E73DDA03463F7C540191B64EABA9AEE4DDAC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:56.531{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A4CA918C8E984574C6A7B0CA612AAF3,SHA256=14A95F19125D6AAB304287F8C795D80334127C5160FA0D84FB1BB0F26F311FC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:56.094{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97678D36467A8798BBA7B506BD12E9B5,SHA256=51D00B400700562E271579D92F53CA30BDF9EA8E3486C8232495077F8F663E3C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000080473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:56.536{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49516-false20.189.173.10-443https 354300x800000000000000080472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:56.470{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local55667- 354300x800000000000000080471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:56.467{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local63385- 354300x800000000000000080470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:56.456{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local52545- 22542200x800000000000000080469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:56.299{45AAC21C-F98D-63D0-3003-00000000BA02}7812onedscolprdwus09.westus.cloudapp.azure.com020.189.173.10;C:\Program Files\Mozilla Firefox\firefox.exe 354300x800000000000000080468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:56.289{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local64510- 23542300x800000000000000080467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:57.549{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C14ACA811FEB4FABAFDED53618B42830,SHA256=CB094EDDE9F47EC1A64C65D961EA1A5F4D2C26A9B412FD636D4C47255EB81C2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:57.189{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C3FC3684E2A38D3D19BB65092F9E839,SHA256=DB6D6351AC3B705193BC50A71F7F6DB79545D93DBCF1B093D423879DB7B3B22E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:58.286{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED7366EB37347127CF80692097C159C9,SHA256=4F5BAFA239E0C3037D1AAA2E350CC57710BD35EE81B963DB36FA027A5BC0209B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:58.845{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ilosieif.default-release\permissions.sqlite-journalMD5=057DA015BCAEDC0DEFCECB22D12D410D,SHA256=2CA1E13E06EBA56E3DDD063BE8F04E886542137FDE75CFDB5CD52AEE25A72C5E,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000080479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:56.490{45AAC21C-F98D-63D0-3003-00000000BA02}7812e13636.dscb.akamaiedge.net02600:141f:4000:284::3544;2600:141f:4000:285::3544;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000080478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:56.312{45AAC21C-F98D-63D0-3003-00000000BA02}7812onedscolprdwus09.westus.cloudapp.azure.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000080477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:58.566{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9A3FB13661E5411FC0EB745C2C66465,SHA256=4989F7B960CB308D76128A41B5E6D3AA056898612A2D639A4526F5C5E15C4F8A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000080476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:56.657{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local62927- 354300x800000000000000080475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:56.653{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local51543- 354300x800000000000000080474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:56.653{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local56119- 23542300x800000000000000036783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:58.048{72106695-ED09-63D0-2000-00000000BB02}2008NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=1F7D738428BE4FF5EC0D9994988812D3,SHA256=93CEB0C3DC8C5FB3AD1D4B1C1B7FAF5BDCE2BD8F31CA83574C726093E426E8AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:59.383{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B70F2961FB153A76865153249B88145E,SHA256=92F73EB4899E24193C97B23B38F61871CAEF530017B9E4129DD0BC2D03F924B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:59.587{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=723B261A6DB0B2158258C50E203635D7,SHA256=F14B77031B8E5348C779E1BDC80BD570B08D9F0352E9351D671DDAEC89CF7AD5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:02:56.132{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50579-false10.0.1.12-8000- 10341000x800000000000000036799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:00.972{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1500-00000000BB02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:00.964{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1400-00000000BB02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:00.956{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1300-00000000BB02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:00.950{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1200-00000000BB02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:00.938{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1100-00000000BB02}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:00.931{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1000-00000000BB02}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:00.920{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0F00-00000000BB02}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:00.911{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0E00-00000000BB02}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:00.905{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0D00-00000000BB02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:00.895{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:00.883{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0B00-00000000BB02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:00.881{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0900-00000000BB02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 23542300x800000000000000036787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:00.489{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52F13B31092116DBB70382B30BD4C092,SHA256=3C7993975BFEE4C78BAFAB750048FC2CE2B1916C461251DA999D8BEA589DD177,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:00.993{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1500-00000000BA02}1152C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000080494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:00.985{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1400-00000000BA02}344C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000080493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:00.976{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1300-00000000BA02}364C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000080492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:00.963{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1200-00000000BA02}408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000080491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:00.949{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1100-00000000BA02}704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000080490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:00.912{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1000-00000000BA02}444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000080489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:00.900{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0F00-00000000BA02}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000080488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:00.887{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0E00-00000000BA02}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000080487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:00.875{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0D00-00000000BA02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000080486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:00.864{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0C00-00000000BA02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000080485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:00.809{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000080484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:00.806{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0900-00000000BA02}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 23542300x800000000000000080483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:00.601{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD6F4F2CFDAD297EE011319630AB3D6D,SHA256=BAF3FD8D7D98FD85B915A4CC3FACD90A89A24AE94DA5008C29BE48D2946369A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000080482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:02:57.653{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49517-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000036817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:01.935{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B951229A21415C2B2EE571DC30DDF41,SHA256=8BBE36B06865FEF96390F4DA7E236215D6E5D6016BEEC915B1DF74E0D68DB96D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:01.718{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2E00-00000000BA02}2692C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000080508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:01.696{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000080507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:01.692{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2B00-00000000BA02}2664C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 23542300x800000000000000080506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:01.633{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9B45C0463CE4AE4DAFE990E2BD5D4BB,SHA256=1A429E8AAD6CB1A04E02AD57B8C926E6E10191A8B66088AAF2E162D062446950,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:01.116{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FB5F-63D0-3102-00000000BB02}3068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:01.109{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED83-63D0-8200-00000000BB02}508C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:01.105{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED1B-63D0-6D00-00000000BB02}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:01.101{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:01.099{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-4000-00000000BB02}1980C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:01.090{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-3C00-00000000BB02}2964C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:01.089{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2B00-00000000BB02}2876C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:01.088{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2600-00000000BB02}2596C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:01.086{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2500-00000000BB02}2436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:01.082{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2200-00000000BB02}1172C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:01.078{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:01.054{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:01.052{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1C00-00000000BB02}1892C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:01.050{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1A00-00000000BB02}1856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:01.038{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1800-00000000BB02}1732C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:01.035{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1700-00000000BB02}1240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000036800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:01.016{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1600-00000000BB02}1192C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000080505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:01.074{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000080504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:01.065{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000080503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:01.057{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000080502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:01.040{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2700-00000000BA02}2576C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000080501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:01.037{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2600-00000000BA02}2568C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000080500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:01.028{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2500-00000000BA02}2484C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000080499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:01.021{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED14-63D0-2300-00000000BA02}2340C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000080498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:01.019{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1800-00000000BA02}1992C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000080497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:01.017{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1700-00000000BA02}1492C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000080496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:01.010{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1600-00000000BA02}1324C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 23542300x800000000000000036818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:02.991{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9F7DEF07892ACB460C784394E3C4EA9,SHA256=D8220ACB26D86F6663D0D285FD9B24C39DF131F118C3F781BC4CFFB965DD7B4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:02.683{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2092FBEBEAAFCE395E1C6F47CC033A7,SHA256=A7D8DB5C15426E8D6C59BA36434AB6315EE9E264D8E1C63009D537753882A6C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:02.395{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ilosieif.default-release\storage\default\https+++learn.microsoft.com\ls\data.sqlite-journalMD5=249237B55A245629FA1BDF283619FF3E,SHA256=30346B0EDDAD7166D4C19DBB0ADDC69C6BB79C1C889B65F9BF28BB4CCA60158D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:02.377{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ilosieif.default-release\storage\default\https+++learn.microsoft.com\ls\usageMD5=736DA523811D3C03D2D7231BFF47C12D,SHA256=45E77A479A50559FFD0AABDDE651086570AA08ED43B12046A1C43CEF14FA769C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:03.780{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=314A1129166F4FD7856267B0F73F0DF8,SHA256=F79175FADF421489BCE82F255AD9DCCF6F6EA7F717F80893B2176B36DB583DB8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:03.747{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3300-00000000BA02}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000080517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:03.744{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3100-00000000BA02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000080516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:03.742{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2F00-00000000BA02}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 354300x800000000000000080515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:01.933{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local55883- 354300x800000000000000080514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:00.874{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local56941- 354300x800000000000000080513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:00.859{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local55366- 10341000x800000000000000080555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:04.941{45AAC21C-ED0A-63D0-1200-00000000BA02}4081692C:\Windows\system32\svchost.exe{45AAC21C-F99D-63D0-4303-00000000BA02}220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:04.859{45AAC21C-F98D-63D0-3003-00000000BA02}78126328C:\Program Files\Mozilla Firefox\firefox.exe{45AAC21C-F99D-63D0-4203-00000000BA02}8108C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+269b6|C:\Program Files\Mozilla Firefox\xul.dll+e8dca7|C:\Program Files\Mozilla Firefox\xul.dll+e8e1a7|C:\Program Files\Mozilla Firefox\xul.dll+831d2a|C:\Program Files\Mozilla Firefox\xul.dll+1a94a5b|C:\Program Files\Mozilla Firefox\xul.dll+1a9651a|C:\Program Files\Mozilla Firefox\xul.dll+17e5104|C:\Program Files\Mozilla Firefox\xul.dll+1ac0339|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+1f57e|C:\Program Files\Mozilla Firefox\xul.dll+16d888|C:\Program Files\Mozilla Firefox\xul.dll+16c717|C:\Program Files\Mozilla Firefox\xul.dll+46b6cd1|C:\Program Files\Mozilla Firefox\xul.dll+472a2ec|C:\Program Files\Mozilla Firefox\xul.dll+472b10d|C:\Program Files\Mozilla Firefox\xul.dll+20599f2|C:\Program Files\Mozilla Firefox\firefox.exe+1e99e|C:\Program Files\Mozilla Firefox\firefox.exe+2c9f8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:04.833{45AAC21C-F98D-63D0-3003-00000000BA02}78126328C:\Program Files\Mozilla Firefox\firefox.exe{45AAC21C-F99D-63D0-4303-00000000BA02}220C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+269b6|C:\Program Files\Mozilla Firefox\xul.dll+e8dca7|C:\Program Files\Mozilla Firefox\xul.dll+e87879|C:\Program Files\Mozilla Firefox\xul.dll+e87711|C:\Program Files\Mozilla Firefox\xul.dll+e74cf8|C:\Program Files\Mozilla Firefox\xul.dll+44a1f0e|C:\Program Files\Mozilla Firefox\xul.dll+24f46b8|C:\Program Files\Mozilla Firefox\xul.dll+9a51a2|C:\Program Files\Mozilla Firefox\xul.dll+9591b1|C:\Program Files\Mozilla Firefox\xul.dll+16dd7b|C:\Program Files\Mozilla Firefox\xul.dll+9a8a05|C:\Program Files\Mozilla Firefox\xul.dll+4636036|C:\Program Files\Mozilla Firefox\xul.dll+963def|C:\Program Files\Mozilla Firefox\xul.dll+971055|C:\Program Files\Mozilla Firefox\xul.dll+96ff7d|C:\Program Files\Mozilla Firefox\xul.dll+89b81d|C:\Program Files\Mozilla Firefox\xul.dll+816407|C:\Program Files\Mozilla Firefox\xul.dll+1a94a5b|C:\Program Files\Mozilla Firefox\xul.dll+1a9651a|C:\Program Files\Mozilla Firefox\xul.dll+17e5104|C:\Program Files\Mozilla Firefox\xul.dll+1ac0339|C:\Program Files\Mozilla Firefox\xul.dll+9d10af 10341000x800000000000000080552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:04.777{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE39-63D0-D003-00000000BA02}4868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000080551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:04.771{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE36-63D0-CF03-00000000BA02}6108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000080550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:04.761{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE36-63D0-CE03-00000000BA02}3640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000080549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:04.751{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99E-63D0-4403-00000000BA02}4716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 354300x800000000000000036820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:02.044{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50580-false10.0.1.12-8000- 23542300x800000000000000036819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:04.099{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8661F93F393C56B43E9C52737EF919A,SHA256=C7DEF77A6EE661F737512FAA27248C0295C07866D23A4645B8DCF4EBFC6BADCA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:04.736{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4303-00000000BA02}220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000080547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:04.722{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4203-00000000BA02}8108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000080546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:04.716{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F993-63D0-3A03-00000000BA02}5848C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000080545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:04.706{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3403-00000000BA02}8152C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000080544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:04.682{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3303-00000000BA02}5868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000080543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:04.673{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3203-00000000BA02}1380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000080542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:04.645{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3103-00000000BA02}7700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000080541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:04.608{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000080540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:04.574{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000080539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:04.566{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A202-00000000BA02}5720C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000080538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:04.550{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A102-00000000BA02}7492C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000080537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:04.541{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F3FF-63D0-5202-00000000BA02}7716C:\Program Files\Process Hacker 2\ProcessHacker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000080536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:04.529{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED93-63D0-C200-00000000BA02}5684C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000080535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:04.417{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000080534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:04.390{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 354300x800000000000000080533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:02.052{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49519-false20.189.173.10-443https 354300x800000000000000080532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:02.016{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49518-false20.189.173.10-443https 354300x800000000000000080531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:01.943{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local62791- 354300x800000000000000080530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:01.937{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local63411- 10341000x800000000000000080529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:04.309{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000080528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:04.298{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-8E00-00000000BA02}432C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000080527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:04.283{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4D-63D0-8900-00000000BA02}4888C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000080526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:04.275{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED36-63D0-8100-00000000BA02}4176C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000080525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:04.272{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED35-63D0-7F00-00000000BA02}3432C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000080524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:04.265{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED2C-63D0-7B00-00000000BA02}532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000080523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:04.262{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000080522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:04.260{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1B-63D0-4500-00000000BA02}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000080521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:04.256{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-4100-00000000BA02}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000080520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:04.256{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-3800-00000000BA02}3276C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000080601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:05.978{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-FE59-63D0-D803-00000000BA02}8160C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000080600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-ConnectPipe2023-01-25 10:03:05.970{45AAC21C-F98D-63D0-3003-00000000BA02}7812\gecko.7812.6224.14960595986419644818C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000080599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-CreatePipe2023-01-25 10:03:05.970{45AAC21C-F98D-63D0-3003-00000000BA02}7812\gecko.7812.6224.14960595986419644818C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000080598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:05.970{45AAC21C-F98D-63D0-3003-00000000BA02}78126224C:\Program Files\Mozilla Firefox\firefox.exe{45AAC21C-FE59-63D0-D803-00000000BA02}8160C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1ab6bf1|C:\Program Files\Mozilla Firefox\xul.dll+1ab4ec7|C:\Program Files\Mozilla Firefox\xul.dll+12705|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+12237|C:\Program Files\Mozilla Firefox\xul.dll+9cdfc1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000036822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:05.182{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F50048E4BC0AEC8CBB80BD7E3567CB9,SHA256=EABFFD74376A1220E370395185F4FB2A3475F07A991220A80DA65E9E34F19FFB,IMPHASH=00000000000000000000000000000000falsetrue 18141800x800000000000000080597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-ConnectPipe2023-01-25 10:03:05.970{45AAC21C-F98D-63D0-3003-00000000BA02}7812\chrome.7812.15.65415786C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000080596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:05.966{45AAC21C-F98D-63D0-3003-00000000BA02}78126920C:\Program Files\Mozilla Firefox\firefox.exe{45AAC21C-FE59-63D0-D803-00000000BA02}8160C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+10a7bb|C:\Program Files\Mozilla Firefox\xul.dll+130eca0|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000080595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-ConnectPipe2023-01-25 10:03:05.965{45AAC21C-F98D-63D0-3003-00000000BA02}7812\gecko-crash-server-pipe.7812C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000080594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:05.930{45AAC21C-F98D-63D0-3003-00000000BA02}78126328C:\Program Files\Mozilla Firefox\firefox.exe{45AAC21C-FE59-63D0-D803-00000000BA02}8160C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+269b6|C:\Program Files\Mozilla Firefox\xul.dll+e8dca7|C:\Program Files\Mozilla Firefox\xul.dll+e87879|C:\Program Files\Mozilla Firefox\xul.dll+e77459|C:\Program Files\Mozilla Firefox\xul.dll+e86462|C:\Program Files\Mozilla Firefox\xul.dll+ebac4|C:\Program Files\Mozilla Firefox\xul.dll+1a94a5b|C:\Program Files\Mozilla Firefox\xul.dll+1a9651a|C:\Program Files\Mozilla Firefox\xul.dll+17e5104|C:\Program Files\Mozilla Firefox\xul.dll+1ac0339|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+1f57e|C:\Program Files\Mozilla Firefox\xul.dll+16d888|C:\Program Files\Mozilla Firefox\xul.dll+16c717|C:\Program Files\Mozilla Firefox\xul.dll+46b6cd1|C:\Program Files\Mozilla Firefox\xul.dll+472a2ec|C:\Program Files\Mozilla Firefox\xul.dll+472b10d|C:\Program Files\Mozilla Firefox\xul.dll+20599f2|C:\Program Files\Mozilla Firefox\firefox.exe+1e99e|C:\Program Files\Mozilla Firefox\firefox.exe+2c9f8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:05.930{45AAC21C-F98D-63D0-3003-00000000BA02}78126224C:\Program Files\Mozilla Firefox\firefox.exe{45AAC21C-FE59-63D0-D803-00000000BA02}8160C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9e834a|C:\Program Files\Mozilla Firefox\xul.dll+ebac4|C:\Program Files\Mozilla Firefox\xul.dll+2581e76|C:\Program Files\Mozilla Firefox\xul.dll+1ab508d|C:\Program Files\Mozilla Firefox\xul.dll+12705|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+12237|C:\Program Files\Mozilla Firefox\xul.dll+9cdfc1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:05.922{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:05.922{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:05.922{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:05.922{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:05.922{45AAC21C-ED35-63D0-7E00-00000000BA02}12363556C:\Windows\system32\csrss.exe{45AAC21C-FE59-63D0-D803-00000000BA02}8160C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000080587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:05.922{45AAC21C-F98D-63D0-3003-00000000BA02}78123648C:\Program Files\Mozilla Firefox\firefox.exe{45AAC21C-FE59-63D0-D803-00000000BA02}8160C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+ac12|C:\Program Files\Mozilla Firefox\firefox.exe+6673|C:\Program Files\Mozilla Firefox\xul.dll+7a8fbe|C:\Program Files\Mozilla Firefox\xul.dll+9e365b|C:\Program Files\Mozilla Firefox\xul.dll+9e1625|C:\Program Files\Mozilla Firefox\xul.dll+9e934e|C:\Program Files\Mozilla Firefox\xul.dll+82fb43|C:\Program Files\Mozilla Firefox\xul.dll+17e59b8|C:\Program Files\Mozilla Firefox\xul.dll+17d1c3b|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+1f57e|C:\Program Files\Mozilla Firefox\xul.dll+833d37|C:\Program Files\Mozilla Firefox\nss3.dll+7318c|C:\Program Files\Mozilla Firefox\nss3.dll+885b1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000080586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:05.923{45AAC21C-FE59-63D0-D803-00000000BA02}8160C:\Program Files\Mozilla Firefox\firefox.exe109.0FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="7812.15.654157866\564441526" -childID 12 -isForBrowser -prefsHandle 3148 -prefMapHandle 5084 -prefsLen 31804 -prefMapSize 234634 -jsInitHandle 1112 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20230112150232 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b978148c-6d27-409f-b674-7f5be311e2f3} 7812 "\\.\pipe\gecko-crash-server-pipe.7812" 8580 2786aff9d58 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{45AAC21C-ED4C-63D0-BD09-0A0000000000}0xa09bd2LowMD5=66A6B001D806D3117BBA41DD55C08DE0,SHA256=0FC5FD25E5CB032AF0E867B74AD8FCB3A0F5803F3C661E398D5A03448C5CA946,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x800000000000000080585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:05.918{45AAC21C-ED08-63D0-0B00-00000000BA02}636308C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:05.918{45AAC21C-ED08-63D0-0B00-00000000BA02}636308C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:05.918{45AAC21C-ED08-63D0-0B00-00000000BA02}636308C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:05.918{45AAC21C-ED08-63D0-0B00-00000000BA02}636308C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:05.918{45AAC21C-ED08-63D0-0B00-00000000BA02}636308C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:05.918{45AAC21C-ED08-63D0-0B00-00000000BA02}636308C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:05.918{45AAC21C-ED08-63D0-0B00-00000000BA02}636308C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:05.918{45AAC21C-ED08-63D0-0B00-00000000BA02}636308C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:05.918{45AAC21C-ED08-63D0-0B00-00000000BA02}636308C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:05.918{45AAC21C-ED08-63D0-0B00-00000000BA02}636308C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:05.918{45AAC21C-ED08-63D0-0B00-00000000BA02}636308C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:05.918{45AAC21C-ED08-63D0-0B00-00000000BA02}636308C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:05.918{45AAC21C-ED08-63D0-0B00-00000000BA02}636308C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:05.914{45AAC21C-ED08-63D0-0B00-00000000BA02}636308C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:05.914{45AAC21C-ED08-63D0-0B00-00000000BA02}636308C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:05.914{45AAC21C-ED08-63D0-0B00-00000000BA02}636308C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:05.914{45AAC21C-ED08-63D0-0B00-00000000BA02}636308C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:05.914{45AAC21C-ED08-63D0-0B00-00000000BA02}636308C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:05.914{45AAC21C-ED08-63D0-0B00-00000000BA02}636308C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:05.914{45AAC21C-ED08-63D0-0B00-00000000BA02}636308C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:05.914{45AAC21C-ED08-63D0-0B00-00000000BA02}636308C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:05.914{45AAC21C-ED08-63D0-0B00-00000000BA02}636308C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:05.914{45AAC21C-ED08-63D0-0B00-00000000BA02}636308C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:05.914{45AAC21C-ED08-63D0-0B00-00000000BA02}636308C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:05.914{45AAC21C-ED08-63D0-0B00-00000000BA02}636308C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:05.914{45AAC21C-ED08-63D0-0B00-00000000BA02}636308C:\Windows\system32\lsass.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x800000000000000080559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-CreatePipe2023-01-25 10:03:05.910{45AAC21C-F98D-63D0-3003-00000000BA02}7812\chrome.7812.15.65415786C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000080558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:05.848{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0368A934B16F9B25B832525AAC9FBE01,SHA256=E03B0E68142378C325266E7AA408AFB190DF4779CB09018C1ADB797022AC26B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000080557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:02.705{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49520-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000080556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:05.071{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B2432B737BD66DB481BD91B13FD5A5F,SHA256=AEC9BA9776A07D1409473E7AC36596BE0513FB2297DFA29BEDC88B54B3E4C469,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:05.073{72106695-ED09-63D0-1C00-00000000BB02}1892NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\respondent-20230125084915-071MD5=4A845FE96E1CB901D2D7264E475C5D0A,SHA256=805658FE4E43678F2368D193C16F752D5AE58460E17C63B3F32526AFB5DF27A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:06.952{45AAC21C-ED5C-63D0-A400-00000000BA02}53205776C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE59-63D0-D803-00000000BA02}8160C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D003D0) 10341000x800000000000000080619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:06.952{45AAC21C-ED5C-63D0-A400-00000000BA02}53205776C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE59-63D0-D803-00000000BA02}8160C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D003D0) 10341000x800000000000000080618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:06.952{45AAC21C-ED5C-63D0-A400-00000000BA02}53205776C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE59-63D0-D803-00000000BA02}8160C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D003D0) 23542300x800000000000000080617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:06.885{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5E5A40E69428BF2527E6F88CF5CF730,SHA256=08F51A6194705DEE1636773FBF55E3B9531809265F0AA1B6C353BB09E30CF73B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:06.259{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D8AF49EF38E0CCE82A67BB8F20DFDEE,SHA256=CCFCE76B49107F6FC2E9D20F5B3C3ECA16DF3449C665DD2EF3FC54824B79F1A9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:06.373{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE59-63D0-D803-00000000BA02}8160C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000080615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:06.373{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE59-63D0-D803-00000000BA02}8160C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000080614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:06.373{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE59-63D0-D803-00000000BA02}8160C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 23542300x800000000000000080613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:06.130{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1DEF112FDF2DB47EDB57B5342D9EB30,SHA256=6FEEAA780D405A272909636515AAF4BAF921E60779DCF2347AD0C564C782B3A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:06.070{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FE59-63D0-D803-00000000BA02}8160C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:06.070{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FE59-63D0-D803-00000000BA02}8160C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:06.070{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FE59-63D0-D803-00000000BA02}8160C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:06.070{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FE59-63D0-D803-00000000BA02}8160C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:06.027{45AAC21C-ED0A-63D0-1200-00000000BA02}4081692C:\Windows\system32\svchost.exe{45AAC21C-FE59-63D0-D803-00000000BA02}8160C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:06.027{45AAC21C-ED0A-63D0-1200-00000000BA02}4081692C:\Windows\system32\svchost.exe{45AAC21C-FE59-63D0-D803-00000000BA02}8160C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000080606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-25 10:03:06.023{45AAC21C-ED0A-63D0-1200-00000000BA02}408C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d930a4-0x383a0b2b) 10341000x800000000000000080605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:06.007{45AAC21C-ED08-63D0-0B00-00000000BA02}636308C:\Windows\system32\lsass.exe{45AAC21C-FE59-63D0-D803-00000000BA02}8160C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:06.007{45AAC21C-ED08-63D0-0B00-00000000BA02}636308C:\Windows\system32\lsass.exe{45AAC21C-FE59-63D0-D803-00000000BA02}8160C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000080603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-ConnectPipe2023-01-25 10:03:05.997{45AAC21C-F98D-63D0-3003-00000000BA02}7812\LOCAL\cubeb-pipe-7812-11C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000080602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-CreatePipe2023-01-25 10:03:05.997{45AAC21C-F98D-63D0-3003-00000000BA02}7812\LOCAL\cubeb-pipe-7812-11C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000036823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:06.072{72106695-ED09-63D0-1C00-00000000BB02}1892NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\surveyor-20230125084913-072MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:07.904{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=532408407C99A15D7078EE07955A99D3,SHA256=B99E3FA60180B11BDFC3244D5EC545D53393A8C3CAE8761D20E335306C355F16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:07.343{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=656837B56CC795665D5CF73ADA55CA1C,SHA256=722FF724452F9725925BE0A40703E5DAA8A747FDC0983A476EBB64093C578C64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:07.612{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ilosieif.default-release\permissions.sqlite-journalMD5=0A9C5EAEF8336ECCFB4C0325C30D5A02,SHA256=8C9E08FFE177BFD9F558C17D5D2FEAE35CB90DEC5BC76CF44621A7CCFF9F2C67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:07.311{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\ilosieif.default-release\cache2\doomed\8918MD5=6395E5A1F5FC20BD38B23851E6C45103,SHA256=AE9867DF6CE07482E3B50E2351873714D7FD26B559C724AA53A6B3234EB80A3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:07.311{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\ilosieif.default-release\cache2\doomed\9479MD5=2F0BFDE5DE266BA9C68D2F7A11D92E76,SHA256=CEBE0C572B0B1F7BE1CDE03A5246C6137DBC5B1DA812D3D95A3DBAB9CF5B3D0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:07.039{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C4A5E4563ACBB139DAF5F4806506048,SHA256=15E6BEA5155835323A9BB8A981F7906A10E6FEC2824C64C4B48FA47364592682,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:08.934{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2FE33CF5C53B65768A764FBDF3B8E4B,SHA256=1EAE54A0EECC679822985FC710AE1E9729D163911AF0319C8C14D45D2D5603C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:08.451{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2516B0D5DF888BB7CDA2D99A89F96F9D,SHA256=D7F414C2EBCDDA42BE8133E9A7FBEB7E0FB7FF7FA39AA2B44717824704E535B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000080626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:05.608{45AAC21C-ED0A-63D0-1200-00000000BA02}408C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local123ntpfalse168.61.215.74-123ntp 23542300x800000000000000080629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:09.954{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=363AA02DBB4EB108191331CAAF04D8FF,SHA256=52D6D62524874564FA5F76EADA21F19C6642655C68B5ABCF643342F8DDAD5461,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:09.547{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D7E3E5750C4DEE2222363F185A3BFD1,SHA256=15850619A73DC5ED1AE3B00CDBADDEF0206C224252983E578B8E9D31459D6808,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:07.079{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50581-false10.0.1.12-8000- 354300x800000000000000080628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:07.837{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49521-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000036829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:10.539{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B6A5BE8E9AD28475E4D614909BA7C0D,SHA256=EFA01312695BBB4E208AA226AA69D35AF48B8075544D5C4F40D1F6F69F32BDA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:10.446{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ilosieif.default-release\storage\default\https+++www.google.com\ls\data.sqlite-journalMD5=4DA6C29C56213D87B427504A7FBB1FD0,SHA256=2A2A9588693A03B4ECD58A26E1430FF63AA3A07E46AD54CD640C7B85A464E659,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:10.434{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ilosieif.default-release\storage\default\https+++www.google.com\ls\usageMD5=5BA3A3AA2F002CD1070243AECDB092D8,SHA256=D573DE0E3B0D99BD186B3E9C2800EB4EA4AEE922106CD707F41A0D0759B725EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:11.638{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47B09AD6F10855D26A43E1AC7B974B1F,SHA256=56A5A70DCA134B64F23BF7C0065F17B640D16ED610F302417DC75EA8049E66BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000080634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:09.074{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49522-false142.251.32.10ord38s33-in-f10.1e100.net443https 23542300x800000000000000080633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:11.141{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ilosieif.default-release\permissions.sqlite-journalMD5=CE1C389E363CC5A3C716BFC8D4BA5CD1,SHA256=D8F61AE800A961BD2D1E19A476BBA3580AB089FA8299B566E0C658C208331CFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:11.064{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A69BDA04579B6186E696A28F05D0DEB,SHA256=6305B0E3FFEF7A3466B29137711CB838AD4BD920A8C8DA33BAF52B2FBD8B1D65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:12.742{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F77816873DD90B43FE007082787DCA5,SHA256=0B4637ECEEAC017E6B0E96FBA57FA47F7E9CB1D8523727455699CC571F38E4A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:12.174{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=048B2F17D3BA23B408B070590764FC89,SHA256=F819DF884E000472EA545D487EE493D7E3470D2012D2F68D2E88ABCD369FC14D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:13.852{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6BA57B6DD3840E04982D92B65A5478F,SHA256=D30D1F26B7AC3C2E271B1252506360739368BB14FD7330E4F4C300619989C465,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:13.732{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\ilosieif.default-release\cache2\doomed\8275MD5=0E307C806028454703C36A982A55F8CE,SHA256=2DFBAB37EB12E288A3B74BEC848D057C034BD07A014EE2EA3D09836F2E899794,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:13.191{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E15597F9A48368B17CBCA21845526B7,SHA256=A2302DCE2AE0A6161D9625B3C98983FA109E315D05D3931C14CB108CA120A375,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:14.957{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FAE9594B6C53401C25F00CE37EDAC2E,SHA256=ED5F4F80BBCC87874758D24CBC05631FEFB7B8C1436A5159D6D2711ECABFF988,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:14.452{45AAC21C-ED18-63D0-2C00-00000000BA02}2672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=9FBB75929F60CCCA890258B24336ECB5,SHA256=7A889E7394052BC2817479876BA637F9833FBFCA6AA3AA766E416374B3C39124,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:14.212{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F62FA65DA78A5054AE6050A4A0FEE73,SHA256=58F9F59E2906E6C2282174DC9EC49E09CBCD23A1E4C9C764603F91F963945740,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:14.672{72106695-ED08-63D0-1100-00000000BB02}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=48C29DD852DC1F2C961F4127518A8913,SHA256=E89E150610394DCFD3089E184D40A78D7B34ACEED3DE43097D0A77DBF945A344,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:15.985{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ilosieif.default-release\storage\default\https+++www.google.com\ls\data.sqlite-journalMD5=AA837911E45917AD1A0CD74B1A13F459,SHA256=5DB26DDDD875617F037306A187A3D03F5A2BF6CBA445520C0CBBCEA724BDB11D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:15.977{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ilosieif.default-release\storage\default\https+++www.google.com\ls\usageMD5=8431AFF62B8EBD41569D0C9A4B8875DB,SHA256=F4F8414D653D60D5C5EBCB8B66A38D98D9015E6395315782D4D5FC8F0ED5A4C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:15.946{45AAC21C-ED0A-63D0-1100-00000000BA02}704NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=DCAF802F3C81AA59E2D7AB7CD7D21BD7,SHA256=2216684A9694E14CA8818257664A062CE68E227D97944D1E3410BD9A2A4EF6D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000080641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:13.692{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49523-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000080640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:15.229{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=720991E77E98AF8D422FBEA5B9A07D59,SHA256=7DD59D75D3875CA84A859476B541DA3D27F8334DF748252A6232647B86723303,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:13.002{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50582-false10.0.1.12-8000- 10341000x800000000000000080654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:16.554{45AAC21C-F98D-63D0-3003-00000000BA02}78126328C:\Program Files\Mozilla Firefox\firefox.exe{45AAC21C-F99D-63D0-4303-00000000BA02}220C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+269b6|C:\Program Files\Mozilla Firefox\xul.dll+e8dca7|C:\Program Files\Mozilla Firefox\xul.dll+e8e1a7|C:\Program Files\Mozilla Firefox\xul.dll+831d2a|C:\Program Files\Mozilla Firefox\xul.dll+1a94a5b|C:\Program Files\Mozilla Firefox\xul.dll+1a9651a|C:\Program Files\Mozilla Firefox\xul.dll+17e5104|C:\Program Files\Mozilla Firefox\xul.dll+1ac0339|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+1f57e|C:\Program Files\Mozilla Firefox\xul.dll+16d888|C:\Program Files\Mozilla Firefox\xul.dll+16c717|C:\Program Files\Mozilla Firefox\xul.dll+46b6cd1|C:\Program Files\Mozilla Firefox\xul.dll+472a2ec|C:\Program Files\Mozilla Firefox\xul.dll+472b10d|C:\Program Files\Mozilla Firefox\xul.dll+20599f2|C:\Program Files\Mozilla Firefox\firefox.exe+1e99e|C:\Program Files\Mozilla Firefox\firefox.exe+2c9f8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:16.551{45AAC21C-ED4E-63D0-9300-00000000BA02}13365688C:\Windows\Explorer.EXE{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:16.551{45AAC21C-ED4E-63D0-9300-00000000BA02}13365688C:\Windows\Explorer.EXE{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:16.551{45AAC21C-ED4E-63D0-9300-00000000BA02}13365688C:\Windows\Explorer.EXE{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:16.546{45AAC21C-F98D-63D0-3003-00000000BA02}78126328C:\Program Files\Mozilla Firefox\firefox.exe{45AAC21C-F98E-63D0-3103-00000000BA02}7700C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+b7bc2c|C:\Program Files\Mozilla Firefox\xul.dll+f881b0|C:\Program Files\Mozilla Firefox\xul.dll+f86c65|C:\Program Files\Mozilla Firefox\xul.dll+f821a4|C:\Windows\System32\user32.dll+121e4|C:\Windows\System32\user32.dll+11ed7|C:\Windows\System32\user32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF801D850B2A8)|UNKNOWN(FFFFC72308993998)|UNKNOWN(FFFFC72308993BA2)|UNKNOWN(FFFFC7230899649B)|UNKNOWN(FFFFC7230890E09B)|UNKNOWN(FFFFC7230890DFD2)|UNKNOWN(FFFFC723089F2279)|UNKNOWN(FFFFC7230890FDA8)|UNKNOWN(FFFFC7230890C7B5)|UNKNOWN(FFFFC723088F551A)|UNKNOWN(FFFFC723088F74BB)|UNKNOWN(FFFFC72308A075F6)|UNKNOWN(FFFFC723089024B5)|UNKNOWN(FFFFC72308902189) 10341000x800000000000000080649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:16.546{45AAC21C-ED4E-63D0-9300-00000000BA02}13363108C:\Windows\Explorer.EXE{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:16.546{45AAC21C-ED4E-63D0-9300-00000000BA02}13363108C:\Windows\Explorer.EXE{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:16.546{45AAC21C-ED4E-63D0-9300-00000000BA02}13363108C:\Windows\Explorer.EXE{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:16.546{45AAC21C-ED4E-63D0-9300-00000000BA02}13363108C:\Windows\Explorer.EXE{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000080645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:16.246{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CABA839AB51CADFD224A44410DE62B28,SHA256=95245C25B4832EC967A998E41E45194D3939008CB181B4C82623B1351E9BA9B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:16.037{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4404C47C6EF2D5D03B8CB38C51DC918,SHA256=8A8324C9E7373826DFE0C5C45CF3112CE7E65ACCCDB06EF258FFF063DAE2665B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:17.103{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DED0E39C2A4C2AB06858D8C4C9490602,SHA256=765057A718FA23A885969C6C926C2F32BEEAA9B7046DF63792520BB71B5084F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:17.271{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6073E26A795180AC008860F5D6762B3D,SHA256=2516CA61BED2BFB15A9B633E205D54FC6C42562A9D4BFC88D8249BE42F73BE08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:18.210{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AAF2023C6844C266004350E75098A72,SHA256=855B3BCB26F448AA745F0ADAC3B30BDA322F9239E3BF4751EB555BC360F7BD66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:18.569{45AAC21C-ED18-63D0-2C00-00000000BA02}2672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000080657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:16.218{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49524-false142.251.32.10ord38s33-in-f10.1e100.net443https 23542300x800000000000000080656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:18.279{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A3CD948FF61F775F4E7749A965AAAF2,SHA256=D2D4CA017B36DF0B0CDBB5F0DB36527674D033011D104B4F54A2B77624FF7C3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:19.303{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9EB5874FDA0F9F567CD856359584897,SHA256=5F7FFE5F5B3E81A65FB4040CE51995EB5052A7F3823B26EA8A73FC17B198DBF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:19.842{45AAC21C-ED18-63D0-2F00-00000000BA02}2700NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\respondent-20230125084931-071MD5=FB1204BD5E1FCB9F00F3D30191CDD410,SHA256=AD3DE377B45C073DC7811942D8C17D2EDF88FCE93F4C4FD49345F5808DA79585,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:19.290{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A118C9E46613FAAD962EEF7F41E263A1,SHA256=1904375D328DD337BA7385760E7DCA4B2FD321221B04277D5F6E97A3A2CB23AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:20.998{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2B00-00000000BB02}2876C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:20.997{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2600-00000000BB02}2596C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:20.995{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2500-00000000BB02}2436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:20.993{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2200-00000000BB02}1172C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:20.988{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:20.980{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:20.978{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1C00-00000000BB02}1892C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:20.977{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1A00-00000000BB02}1856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:20.970{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1800-00000000BB02}1732C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:20.968{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1700-00000000BB02}1240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:20.957{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1600-00000000BB02}1192C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:20.939{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1500-00000000BB02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:20.932{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1400-00000000BB02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:20.926{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1300-00000000BB02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:20.920{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1200-00000000BB02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:20.915{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1100-00000000BB02}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:20.909{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1000-00000000BB02}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:20.903{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0F00-00000000BB02}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:20.897{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0E00-00000000BB02}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:20.892{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0D00-00000000BB02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:20.888{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:20.886{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0B00-00000000BB02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:20.879{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0900-00000000BB02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 23542300x800000000000000036840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:20.394{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BADAA6D61D08E53E7467056BF05A1F3,SHA256=B9A632644AD5A93097F342ABBCC2D064F19AC7BF21F10C44D8581E250BDDF5B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:20.983{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1500-00000000BA02}1152C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000080674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:20.977{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1400-00000000BA02}344C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000080673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:20.967{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1300-00000000BA02}364C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000080672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:20.956{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1200-00000000BA02}408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000080671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:20.947{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1100-00000000BA02}704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000080670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:20.911{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1000-00000000BA02}444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000080669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:20.894{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0F00-00000000BA02}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000080668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:20.882{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0E00-00000000BA02}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000080667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:20.867{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0D00-00000000BA02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000080666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:20.856{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0C00-00000000BA02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 23542300x800000000000000080665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:20.840{45AAC21C-ED18-63D0-2F00-00000000BA02}2700NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\surveyor-20230125084929-072MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:20.807{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000080663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:20.804{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0900-00000000BA02}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 354300x800000000000000080662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:18.185{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49525-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000080661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:20.307{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=359227D744CA5D1F74EDE1D0E1648BBC,SHA256=723865084DD1C08657D14217C7E0C2A242B34853A43636C37D1F5ED1BF502AB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:21.909{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D16FF55C770B002988E2A68A59AED4B5,SHA256=FE746F4569590EC878BDABCC37BDCB5AB8F10D62B3CE2432358A1A8095B893A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:21.597{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2E00-00000000BA02}2692C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000080691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:21.592{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000080690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:21.588{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2B00-00000000BA02}2664C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 354300x800000000000000080689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:18.859{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49526-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000080688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:21.336{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31B2008B758D1C92651D8A5665B782FC,SHA256=12EBBF786FD6D4BAAB0DB515DE31AE9A5007D50DB93E3F877E10AB45947D3382,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:21.023{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FB5F-63D0-3102-00000000BB02}3068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:21.020{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED83-63D0-8200-00000000BB02}508C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:21.017{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED1B-63D0-6D00-00000000BB02}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:21.011{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:21.007{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-4000-00000000BB02}1980C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000036864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:21.000{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-3C00-00000000BB02}2964C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000080687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:21.120{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:21.120{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:21.059{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000080684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:21.051{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000080683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:21.036{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000080682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:21.028{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2700-00000000BA02}2576C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000080681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:21.027{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2600-00000000BA02}2568C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000080680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:21.016{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2500-00000000BA02}2484C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000080679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:21.012{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED14-63D0-2300-00000000BA02}2340C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000080678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:21.009{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1800-00000000BA02}1992C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000080677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:21.005{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1700-00000000BA02}1492C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000080676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:20.999{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1600-00000000BA02}1324C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 23542300x800000000000000036872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:22.994{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=245DD81376E11DF7E3DFDF383D0C06DA,SHA256=F1D3C92F6C2687EEB51EBEF29A90BB44902B89F84C513E2AF9801E1BB2060519,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:22.350{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F718D5BA7806974431DE39737E2FB806,SHA256=8A92C85A8BCF6911A471EC2E456C39F4D8B5F9D8B32E1B53214E35057C2FB805,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:18.975{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50583-false10.0.1.12-8000- 10341000x800000000000000080702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:23.609{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3300-00000000BA02}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000080701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:23.608{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3100-00000000BA02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000080700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:23.604{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2F00-00000000BA02}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 23542300x800000000000000080699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:23.372{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=501B8B42038C12AD2A97B743B6F708D2,SHA256=0556D950E54FE256BEFAFFF22226FF005F8E4E590C15E743D5DD251F5526471F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:23.232{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED08-63D0-0B00-00000000BB02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:23.232{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED08-63D0-0B00-00000000BB02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:23.232{72106695-ED08-63D0-0B00-00000000BB02}6243468C:\Windows\system32\lsass.exe{72106695-ED08-63D0-1500-00000000BB02}108C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:23.220{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1F00-00000000BB02}2000C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:23.300{45AAC21C-ED4E-63D0-9300-00000000BA02}13365688C:\Windows\Explorer.EXE{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:23.300{45AAC21C-ED4E-63D0-9300-00000000BA02}13365688C:\Windows\Explorer.EXE{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:23.300{45AAC21C-ED4E-63D0-9300-00000000BA02}13365688C:\Windows\Explorer.EXE{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:23.244{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:23.244{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000080740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:24.762{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91CC6D2C9EA569DF5D431F556614BF4F,SHA256=7B061124B8626C12EDA98D79BEA86172C226B300FCA35E9589ADC83E4A7AC4DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:24.625{45AAC21C-ED4E-63D0-9300-00000000BA02}13365688C:\Windows\Explorer.EXE{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:24.625{45AAC21C-ED4E-63D0-9300-00000000BA02}13365688C:\Windows\Explorer.EXE{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:24.625{45AAC21C-ED4E-63D0-9300-00000000BA02}13365688C:\Windows\Explorer.EXE{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:24.576{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:24.576{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:24.568{45AAC21C-ED4E-63D0-9300-00000000BA02}13365688C:\Windows\Explorer.EXE{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:24.568{45AAC21C-ED4E-63D0-9300-00000000BA02}13365688C:\Windows\Explorer.EXE{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:24.568{45AAC21C-ED4E-63D0-9300-00000000BA02}13365688C:\Windows\Explorer.EXE{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:24.381{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE59-63D0-D803-00000000BA02}8160C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 23542300x800000000000000036877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:24.086{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91D30112C7D43405B9318CDC1642F66D,SHA256=A0B9834E44980F62F257A7681D5E1C0E349574223D4DABF79570F3B4ACFF9EB8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:24.367{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE39-63D0-D003-00000000BA02}4868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000080729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:24.361{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE36-63D0-CF03-00000000BA02}6108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000080728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:24.355{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE36-63D0-CE03-00000000BA02}3640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000080727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:24.350{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99E-63D0-4403-00000000BA02}4716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000080726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:24.344{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4303-00000000BA02}220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000080725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:24.339{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F993-63D0-3A03-00000000BA02}5848C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000080724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:24.333{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3403-00000000BA02}8152C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000080723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:24.329{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3303-00000000BA02}5868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000080722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:24.325{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3203-00000000BA02}1380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000080721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:24.316{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3103-00000000BA02}7700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000080720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:24.280{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000080719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:24.254{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000080718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:24.252{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A202-00000000BA02}5720C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000080717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:24.250{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A102-00000000BA02}7492C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000080716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:24.246{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F3FF-63D0-5202-00000000BA02}7716C:\Program Files\Process Hacker 2\ProcessHacker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000080715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:24.242{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED93-63D0-C200-00000000BA02}5684C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000080714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:24.214{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000080713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:24.198{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000080712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:24.161{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000080711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:24.147{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-8E00-00000000BA02}432C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000080710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:24.136{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4D-63D0-8900-00000000BA02}4888C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000080709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:24.130{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED36-63D0-8100-00000000BA02}4176C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000080708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:24.128{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED35-63D0-7F00-00000000BA02}3432C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000080707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:24.124{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED2C-63D0-7B00-00000000BA02}532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000080706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:24.121{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000080705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:24.118{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1B-63D0-4500-00000000BA02}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000080704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:24.115{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-4100-00000000BA02}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000080703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:24.114{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-3800-00000000BA02}3276C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000080794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:25.992{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33c57(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6a1(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+451c0(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2acac(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c1ab(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+440da(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c447(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000080793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:25.971{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000080792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:25.971{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000080791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:25.967{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000080790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:25.947{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000080789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:25.947{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000080788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:25.947{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000080787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:25.943{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000080786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:25.943{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000080785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:25.943{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000080784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:25.943{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000036878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:25.173{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=385D5D5D697B68B086D253EEBEA68D50,SHA256=493204EE18AF13CE68EAD72201CFD7E9DF2B58F7A5A3A4D911BCD0B1C5A90D2A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:25.939{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000080782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:25.939{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000080781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:25.936{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000080780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:25.931{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000080779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:25.927{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2cb0(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2c32(wow64)|C:\Windows\System32\KERNELBASE.dll+153d25(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000080778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:25.927{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2cb0(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2c32(wow64)|C:\Windows\System32\KERNELBASE.dll+153d25(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000080777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:25.927{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000080776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:25.927{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000080775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:25.927{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000080774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:25.927{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000080773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:25.927{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000080772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:25.923{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2cb0(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2c32(wow64)|C:\Windows\System32\KERNELBASE.dll+153d25(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000080771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:25.923{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000080770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:25.923{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000080769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:25.919{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000080768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:25.919{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000080767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:25.919{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000080766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:25.915{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000080765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:25.911{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000080764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:25.911{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000080763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:25.911{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000080762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:25.911{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000080761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:25.907{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000080760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:25.907{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000080759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:25.903{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000080758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:25.903{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000080757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:25.903{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2d09(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2c32(wow64)|C:\Windows\System32\KERNELBASE.dll+153d25(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000080756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:25.903{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x12367bC:\Windows\SYSTEM32\ntdll.dll+a9424|C:\Windows\System32\wow64.dll+31e13|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000080755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:25.899{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a1c(wow64)|C:\Windows\System32\KERNEL32.DLL+33c57(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6a1(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+451c0(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2acac(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+1e358(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2df7d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c3ee(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000080754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:25.899{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x101479C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a220(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+1e358(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2df7d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c3ee(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000080753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:25.899{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x101479C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a9fb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+43d82(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2df59(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c3ee(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000080752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:25.899{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:25.899{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:25.899{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:25.899{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:25.899{45AAC21C-ED35-63D0-7E00-00000000BA02}12364912C:\Windows\system32\csrss.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000080747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:25.899{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9888(wow64)|C:\Windows\System32\KERNELBASE.dll+d856c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+840bd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+69fef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2df31(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c3ee(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x800000000000000080746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:25.899{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin1.0.0.0---Stub.exe"C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin"C:\Users\Administrator\Downloads\asyncrat\bin\ATTACKRANGE\Administrator{45AAC21C-ED4C-63D0-BD09-0A0000000000}0xa09bd2HighMD5=6ED2CF43291BFAE767FC30810080B368,SHA256=3DED72380741082FABCEE8CD4F7CB2E09C67FF53C477DE3173A97616BB197396,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe"C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe" 10341000x800000000000000080745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:25.898{45AAC21C-ED0A-63D0-1300-00000000BA02}3643180C:\Windows\System32\svchost.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:25.890{45AAC21C-ED4E-63D0-9300-00000000BA02}13365688C:\Windows\Explorer.EXE{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:25.890{45AAC21C-ED4E-63D0-9300-00000000BA02}13365688C:\Windows\Explorer.EXE{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:25.890{45AAC21C-ED4E-63D0-9300-00000000BA02}13365688C:\Windows\Explorer.EXE{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000080741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:25.418{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA15D69F602C1B1D63CB7ADD0E2BF458,SHA256=B87C36BF2AEB9F7757080686B5874C80BF19576EF8106F9F7469484171E031F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:26.936{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02D41F1263D51773450F3D7414EAA67F,SHA256=F41CCCE3326224FD520C1F5ACAD5CDAB901288F5CF40F017703AB1131A94D97A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:26.537{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=D5AC358FE959079FE73534E1CB01E4EA,SHA256=608000624A68B85DEE3F003F3C2A379F9815F0D488A40DC39DE3638F4EE1CF17,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:26.498{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000080828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:26.498{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000080827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:26.498{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 23542300x800000000000000080826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:26.498{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D70A65359189508282B5663FB311DA7,SHA256=2998D27B4F27AD16DB06FEE60615B4713A4060D4C2004C256CFFBBB5958AFF8F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:26.495{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000080824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:26.495{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000080823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:26.495{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000036907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:26.991{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FE6E-63D0-8E02-00000000BB02}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:26.991{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:26.991{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:26.991{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:26.991{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:26.991{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:26.991{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:26.991{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:26.991{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:26.991{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:26.991{72106695-ED07-63D0-0500-00000000BB02}4081028C:\Windows\system32\csrss.exe{72106695-FE6E-63D0-8E02-00000000BB02}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:26.991{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FE6E-63D0-8E02-00000000BB02}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:26.991{72106695-FE6E-63D0-8E02-00000000BB02}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000036894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:24.053{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50584-false10.0.1.12-8000- 23542300x800000000000000036893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:26.333{72106695-ED09-63D0-2000-00000000BB02}2008NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:26.318{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FE6E-63D0-8D02-00000000BB02}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:26.318{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:26.318{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:26.318{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:26.318{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:26.318{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:26.318{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:26.318{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:26.318{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:26.318{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:26.318{72106695-ED07-63D0-0500-00000000BB02}408424C:\Windows\system32\csrss.exe{72106695-FE6E-63D0-8D02-00000000BB02}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:26.318{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FE6E-63D0-8D02-00000000BB02}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:26.319{72106695-FE6E-63D0-8D02-00000000BB02}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:26.254{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6677AB41E5C08BC3A53D43F746C0853,SHA256=7A63183D8C7F8F5A66BBBC3EDC9C8B79CF7ED7579ED82868C37FA5C1F98018EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:26.332{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EC2839EE0546ADA126814A3DEF53658,SHA256=B09784A06DB66FC55C80DAC24D64939B41F4988787318158D61830F1BBB7C275,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:26.172{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000080820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:26.168{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000080819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:26.152{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000080818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:26.152{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000080817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:26.152{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000080816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:26.076{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000080815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:26.076{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000080814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:26.076{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:26.072{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:26.072{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:26.072{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:26.072{45AAC21C-ED08-63D0-0B00-00000000BA02}636308C:\Windows\system32\lsass.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:26.044{45AAC21C-F6CE-63D0-DF02-00000000BA02}3686404C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000139D96DA)|UNKNOWN(00000000139D90D0)|UNKNOWN(00000000139D8BB8)|UNKNOWN(00000000139D80A4)|UNKNOWN(00000000139D74F5)|UNKNOWN(0000000011C318BA)|UNKNOWN(0000000011C31297)|UNKNOWN(0000000008A8B78D)|UNKNOWN(00000000039B1AA7)|UNKNOWN(0000000009C1DC2E)|UNKNOWN(00000000037CB965)|UNKNOWN(00000000037CAFE6)|UNKNOWN(00000000037CAF20)|C:\Users\Administrator\Downloads\dnSpy-net-win32\bin\System.Private.CoreLib.dll+2575d1(wow64) 10341000x800000000000000080808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:26.040{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2cb0(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2c32(wow64)|C:\Windows\System32\KERNELBASE.dll+153d25(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000080807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:26.040{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000080806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:26.028{45AAC21C-F6CE-63D0-DF02-00000000BA02}3686288C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(000000000AC31E67)|C:\Users\Administrator\Downloads\dnSpy-net-win32\bin\System.Diagnostics.Process.dll+13bcf(wow64)|C:\Users\Administrator\Downloads\dnSpy-net-win32\bin\System.Diagnostics.Process.dll+168b9(wow64)|C:\Users\Administrator\Downloads\dnSpy-net-win32\bin\System.Diagnostics.Process.dll+d8ba(wow64)|UNKNOWN(00000000139B7000)|UNKNOWN(00000000139B6DE0)|UNKNOWN(00000000139B6C7E)|UNKNOWN(00000000139B6BC4)|UNKNOWN(000000000AC3955E)|UNKNOWN(000000000AC393B9)|UNKNOWN(00000000037DDD23)|UNKNOWN(0000000008A8F9AD)|UNKNOWN(0000000008A8F297)|UNKNOWN(0000000008A8EFFD) 10341000x800000000000000080805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:26.028{45AAC21C-F6CE-63D0-DF02-00000000BA02}3686288C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(000000000AC31E67)|C:\Users\Administrator\Downloads\dnSpy-net-win32\bin\System.Diagnostics.Process.dll+13814(wow64)|C:\Users\Administrator\Downloads\dnSpy-net-win32\bin\System.Diagnostics.Process.dll+e8b9(wow64)|C:\Users\Administrator\Downloads\dnSpy-net-win32\bin\System.Diagnostics.Process.dll+e99e(wow64)|UNKNOWN(00000000139B6DE0)|UNKNOWN(00000000139B6C7E)|UNKNOWN(00000000139B6BC4)|UNKNOWN(000000000AC3955E)|UNKNOWN(000000000AC393B9)|UNKNOWN(00000000037DDD23)|UNKNOWN(0000000008A8F9AD)|UNKNOWN(0000000008A8F297)|UNKNOWN(0000000008A8EFFD)|UNKNOWN(000000000AC7025C) 10341000x800000000000000080804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:26.020{45AAC21C-F6CE-63D0-DF02-00000000BA02}3686288C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(000000000AC31E67)|C:\Users\Administrator\Downloads\dnSpy-net-win32\bin\System.Diagnostics.Process.dll+13bcf(wow64)|C:\Users\Administrator\Downloads\dnSpy-net-win32\bin\System.Diagnostics.Process.dll+168b9(wow64)|C:\Users\Administrator\Downloads\dnSpy-net-win32\bin\System.Diagnostics.Process.dll+d8ba(wow64)|UNKNOWN(000000000AC3A340)|UNKNOWN(000000000AC399FC)|UNKNOWN(000000000AC394AA)|UNKNOWN(000000000AC393B9)|UNKNOWN(00000000037DDD23)|UNKNOWN(0000000008A8F9AD)|UNKNOWN(0000000008A8F297)|UNKNOWN(0000000008A8EFFD)|UNKNOWN(000000000AC7025C)|UNKNOWN(000000000AB3F645) 10341000x800000000000000080803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:26.020{45AAC21C-F6CE-63D0-DF02-00000000BA02}3686288C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(000000000AC31E67)|C:\Users\Administrator\Downloads\dnSpy-net-win32\bin\System.Diagnostics.Process.dll+13814(wow64)|C:\Users\Administrator\Downloads\dnSpy-net-win32\bin\System.Diagnostics.Process.dll+e8b9(wow64)|C:\Users\Administrator\Downloads\dnSpy-net-win32\bin\System.Diagnostics.Process.dll+e99e(wow64)|UNKNOWN(000000000AC399FC)|UNKNOWN(000000000AC394AA)|UNKNOWN(000000000AC393B9)|UNKNOWN(00000000037DDD23)|UNKNOWN(0000000008A8F9AD)|UNKNOWN(0000000008A8F297)|UNKNOWN(0000000008A8EFFD)|UNKNOWN(000000000AC7025C)|UNKNOWN(000000000AB3F645)|UNKNOWN(000000000AB3F4FE) 10341000x800000000000000080802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:26.020{45AAC21C-F6CE-63D0-DF02-00000000BA02}3686288C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(000000000AC39C2A)|UNKNOWN(000000000AC39ABF)|UNKNOWN(000000000AC399CF)|UNKNOWN(000000000AC394AA)|UNKNOWN(000000000AC393B9)|UNKNOWN(00000000037DDD23)|UNKNOWN(0000000008A8F9AD)|UNKNOWN(0000000008A8F297)|UNKNOWN(0000000008A8EFFD)|UNKNOWN(000000000AC7025C)|UNKNOWN(000000000AB3F645)|UNKNOWN(000000000AB3F4FE)|UNKNOWN(000000000AB3F438)|C:\Users\Administrator\Downloads\dnSpy-net-win32\bin\System.Private.CoreLib.dll+2575d1(wow64) 10341000x800000000000000080801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:26.020{45AAC21C-F6CE-63D0-DF02-00000000BA02}3683128C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1038C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(000000000AC311EA)|UNKNOWN(000000000ECD9AD2)|UNKNOWN(000000000ECD9A3E)|UNKNOWN(0000000019A9730D)|UNKNOWN(0000000019A9722F)|UNKNOWN(0000000019A9D829)|UNKNOWN(0000000019A9D681)|UNKNOWN(0000000019A9D639)|UNKNOWN(0000000019A9CB1A)|UNKNOWN(0000000019A9D426)|UNKNOWN(0000000019A9D23B)|UNKNOWN(0000000019A9CFEC)|UNKNOWN(0000000019A9CBF7) 10341000x800000000000000080800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:26.012{45AAC21C-F6CE-63D0-DF02-00000000BA02}3686288C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(000000000AC31E67)|C:\Users\Administrator\Downloads\dnSpy-net-win32\bin\System.Diagnostics.Process.dll+13bcf(wow64)|C:\Users\Administrator\Downloads\dnSpy-net-win32\bin\System.Diagnostics.Process.dll+168b9(wow64)|C:\Users\Administrator\Downloads\dnSpy-net-win32\bin\System.Diagnostics.Process.dll+15b8f(wow64)|C:\Users\Administrator\Downloads\dnSpy-net-win32\bin\System.Diagnostics.Process.dll+fdd2(wow64)|UNKNOWN(000000000AC31A9E)|UNKNOWN(000000000AC30D19)|UNKNOWN(00000000039BFD1F)|UNKNOWN(0000000008A8F740)|UNKNOWN(0000000008A8F297)|UNKNOWN(0000000008A8EFFD)|UNKNOWN(000000000AC7025C)|UNKNOWN(000000000AB3F645)|UNKNOWN(000000000AB3F4FE) 10341000x800000000000000080799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:26.012{45AAC21C-F6CE-63D0-DF02-00000000BA02}3686288C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(000000000AC31E67)|C:\Users\Administrator\Downloads\dnSpy-net-win32\bin\System.Diagnostics.Process.dll+13814(wow64)|C:\Users\Administrator\Downloads\dnSpy-net-win32\bin\System.Diagnostics.Process.dll+e8b9(wow64)|C:\Users\Administrator\Downloads\dnSpy-net-win32\bin\System.Diagnostics.Process.dll+e99e(wow64)|UNKNOWN(000000000AC30D19)|UNKNOWN(00000000039BFD1F)|UNKNOWN(0000000008A8F740)|UNKNOWN(0000000008A8F297)|UNKNOWN(0000000008A8EFFD)|UNKNOWN(000000000AC7025C)|UNKNOWN(000000000AB3F645)|UNKNOWN(000000000AB3F4FE)|UNKNOWN(000000000AB3F438)|C:\Users\Administrator\Downloads\dnSpy-net-win32\bin\System.Private.CoreLib.dll+2575d1(wow64) 10341000x800000000000000080798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:26.008{45AAC21C-F6CE-63D0-DF02-00000000BA02}3686288C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1038C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(000000000AC311EA)|UNKNOWN(000000000AC30C02)|UNKNOWN(00000000039BFD1F)|UNKNOWN(0000000008A8F740)|UNKNOWN(0000000008A8F297)|UNKNOWN(0000000008A8EFFD)|UNKNOWN(000000000AC7025C)|UNKNOWN(000000000AB3F645)|UNKNOWN(000000000AB3F4FE)|UNKNOWN(000000000AB3F438)|C:\Users\Administrator\Downloads\dnSpy-net-win32\bin\System.Private.CoreLib.dll+2575d1(wow64)|UNKNOWN(0000000019A9CB1A)|C:\Users\Administrator\Downloads\dnSpy-net-win32\bin\System.Private.CoreLib.dll+2565d2(wow64)|C:\Users\Administrator\Downloads\dnSpy-net-win32\bin\coreclr.dll+11c30f(wow64) 10341000x800000000000000080797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:26.008{45AAC21C-F6CE-63D0-DF02-00000000BA02}3686404C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(0000000008A8EBB7)|UNKNOWN(0000000011C317D9)|UNKNOWN(0000000011C31297)|UNKNOWN(0000000008A8B78D)|UNKNOWN(00000000039B1AA7)|UNKNOWN(0000000009C1DC2E)|UNKNOWN(00000000037CB965)|UNKNOWN(00000000037CAFE6)|UNKNOWN(00000000037CAF20)|C:\Users\Administrator\Downloads\dnSpy-net-win32\bin\System.Private.CoreLib.dll+2575d1(wow64)|UNKNOWN(0000000019A9CB1A)|UNKNOWN(00000000035258ED)|C:\Users\Administrator\Downloads\dnSpy-net-win32\bin\coreclr.dll+11c30f(wow64)|C:\Users\Administrator\Downloads\dnSpy-net-win32\bin\coreclr.dll+6c07b(wow64) 10341000x800000000000000080796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:26.008{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2cb0(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2c32(wow64)|C:\Windows\System32\KERNELBASE.dll+153d25(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000080795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:26.008{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2cb0(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2c32(wow64)|C:\Windows\System32\KERNELBASE.dll+153d25(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000080833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:27.509{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8D5660272F16CE359ADC065EA4D53C4,SHA256=43BF80FA727906087489779ED0E7920999279ECA036A254995F6DC9CFCB5E11C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000080832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:24.671{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49527-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000036925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:25.214{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50585-false10.0.1.12-8089- 10341000x800000000000000036924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:27.654{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FE6F-63D0-8F02-00000000BB02}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:27.654{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:27.654{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:27.654{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:27.654{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:27.654{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:27.654{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:27.654{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:27.654{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:27.654{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:27.654{72106695-ED07-63D0-0500-00000000BB02}408524C:\Windows\system32\csrss.exe{72106695-FE6F-63D0-8F02-00000000BB02}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:27.654{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FE6F-63D0-8F02-00000000BB02}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:27.655{72106695-FE6F-63D0-8F02-00000000BB02}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:27.447{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B90F3453750645BD841A8729F48424D9,SHA256=65FB91C5E4B8F959062565079FF6F2AFDFBB4E3FFDD49C8C78F22CD6E79BD656,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:27.328{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=4FBDEC39D3BFD96FB5E58456C9249E71,SHA256=8DDC663F7AF43CD0CE0507CF0540C97509177AC865EC1470B3F033D0C08FD7E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:27.327{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8BFF5AA4C89B9CDC54D2BAF29392A09,SHA256=6682B720B2E235571AD8C63B2335F162A6AF0522637799BE37EA435035145359,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:27.147{72106695-FE6E-63D0-8E02-00000000BB02}9442760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:28.749{72106695-FE70-63D0-9002-00000000BB02}8321756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:28.577{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FE70-63D0-9002-00000000BB02}832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:28.577{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:28.577{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:28.577{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:28.577{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:28.577{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:28.577{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:28.577{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:28.577{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:28.577{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:28.577{72106695-ED07-63D0-0500-00000000BB02}4082644C:\Windows\system32\csrss.exe{72106695-FE70-63D0-9002-00000000BB02}832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:28.577{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FE70-63D0-9002-00000000BB02}832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:28.579{72106695-FE70-63D0-9002-00000000BB02}832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:28.546{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3801F40D6EAE1B06F50FFC894C479DCB,SHA256=ECA1DA372AD08A90304421FB64F004A314A06D32DDA7BA094D48DB201C460BF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:28.527{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA8C86A70C91C6722E5FD3967AC91CA9,SHA256=8BADD999407A9CBA9306C8F758B5D70B97599000EE97C12734403CB99FE6079E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:28.088{45AAC21C-ED5C-63D0-A400-00000000BA02}53205776C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D003D0) 10341000x800000000000000080835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:28.088{45AAC21C-ED5C-63D0-A400-00000000BA02}53205776C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D003D0) 10341000x800000000000000080834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:28.088{45AAC21C-ED5C-63D0-A400-00000000BA02}53205776C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D003D0) 23542300x800000000000000036926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:28.267{72106695-ED09-63D0-2000-00000000BB02}2008NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=EC48C4369E2B0BC4E057751EC4668BC8,SHA256=C8EBDBCB2CDA02B0E36D89B7A86B2457DF33FC613ACE0700BC00CD1E76A4A34F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:29.645{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8342E6CE52544DFFD56FBBE7510843F4,SHA256=4C18E4C96C073C3653A5966115C342A2266597B735D24BB52DA755DCE90142A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:29.552{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E757F1FD3121DBCC7A4912475071F00,SHA256=D9A299395AAD9543B0ED9B6BBB814E02E2B5285E41709BF8DEB7656F5BDC645E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:29.340{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000080846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:29.340{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000080845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:29.265{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000080844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:29.265{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000080843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:29.262{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000080842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:29.262{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000080841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:29.257{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000080840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:29.252{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000080839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:29.217{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000080838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:29.217{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000036970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:30.860{72106695-FE72-63D0-9202-00000000BB02}996304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000080849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:30.561{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7563A27D3CBDC1C156B32CA100285E55,SHA256=BEF632C47BCEEF55BA409408DEC9DE70D42E8D9AD671CFE7D9EBD829977867AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:30.688{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FE72-63D0-9202-00000000BB02}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:30.688{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:30.688{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:30.688{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:30.688{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:30.688{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:30.688{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:30.688{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:30.688{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:30.688{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:30.688{72106695-ED07-63D0-0500-00000000BB02}4082644C:\Windows\system32\csrss.exe{72106695-FE72-63D0-9202-00000000BB02}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:30.688{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FE72-63D0-9202-00000000BB02}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:30.689{72106695-FE72-63D0-9202-00000000BB02}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000036956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:30.239{72106695-FE72-63D0-9102-00000000BB02}10162628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:30.083{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FE72-63D0-9102-00000000BB02}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:30.083{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:30.083{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:30.083{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:30.083{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:30.083{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:30.083{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:30.083{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:30.083{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:30.083{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:30.083{72106695-ED07-63D0-0500-00000000BB02}4082644C:\Windows\system32\csrss.exe{72106695-FE72-63D0-9102-00000000BB02}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:30.083{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FE72-63D0-9102-00000000BB02}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:30.084{72106695-FE72-63D0-9102-00000000BB02}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000036972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:31.937{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15B64480B4F6BBE0FC21A604B19C5F7B,SHA256=B77112FED0496BBC1114557CA87D92B58DDE964BEBE7BCE836CFC2FFB985D2D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:31.584{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=526C01E7C8D4DC9B47470AB4CC95D518,SHA256=37CC30DEA47B92F86B54AEE8B12A9C4E4B249D8E4EF96BCF2C3C47A48610E775,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:31.220{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8E6B0FB35A7625488D92EBC76DCA2F7,SHA256=57DB163205FF728FDF746BB1CBE112611C7A1D66E1442EA071C39B821BB5BA47,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:31.447{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000080854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:31.446{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000080853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:31.435{45AAC21C-ED08-63D0-0B00-00000000BA02}636308C:\Windows\system32\lsass.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:31.434{45AAC21C-ED08-63D0-0B00-00000000BA02}636308C:\Windows\system32\lsass.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:31.391{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000080850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:31.390{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000080859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:32.974{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ilosieif.default-release\datareporting\glean\db\data.safe.binMD5=64D9093E1A8FD480A517C020C014CBD4,SHA256=FB68FD6ABE7FFFB59CA67685C15D1A93DE53C4FD193AEA0B8D6E60AB0BD105EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:32.696{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C082CAB8A7757E032B9F5A25522A8C0,SHA256=29994A83D17422032BAB9E3974C96988FBA2461D3313C3C1F4D6CEDA261185CA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:32.908{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FE74-63D0-9302-00000000BB02}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:32.908{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:32.908{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:32.908{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:32.908{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:32.908{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:32.908{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:32.908{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:32.908{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:32.908{72106695-ED08-63D0-0C00-00000000BB02}7204080C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:32.908{72106695-ED07-63D0-0500-00000000BB02}4081028C:\Windows\system32\csrss.exe{72106695-FE74-63D0-9302-00000000BB02}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000036974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:32.908{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FE74-63D0-9302-00000000BB02}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000036973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:32.908{72106695-FE74-63D0-9302-00000000BB02}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000080857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:29.734{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49528-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000080862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:33.709{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=520019F997199D8A0728E8CDE299B1F2,SHA256=54FA08E5BBC719FC8ADA1956E238A1DB284491BFE457057042DAD4094741A389,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:30.053{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50586-false10.0.1.12-8000- 23542300x800000000000000036986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:33.017{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E889182DB8FFF3476D3CE66C88384B4A,SHA256=B6ECC1BB723FE56676934AEFB5DF5ED2B4FC9A00DCBAE9DDAB32EF7E1929D198,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:33.462{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:33.462{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000080863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:34.727{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7F0CFB3ECDDC751F21AE7775B34CF98,SHA256=8943F401B2C26369751DA3C5BC31317AFEE8DBA7F7560728189331A7A43760CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:34.121{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7538BD9CE940577E94257E0B64B9EFEB,SHA256=5DC0EE00855D7543C3C5145C5EEF98B6327646E7AF38551C559107F948460E1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:34.074{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3930FDF45D40D3034C8DF1660C9976A7,SHA256=C846A598D685968008D9B3A43346BB4953CD5B44D04E1C1E993C9CB95DB79EE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:35.743{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D61B8D8AF74DC7BE910864DB37BDDFF5,SHA256=B9277AF85C9A86AB2B135DA94059BFB22691864CE499E07BAAA5F45DE5B194DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:35.099{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A253BF53366E9F32A3243E9EC611D66,SHA256=6DB93F1B7687B987C133A978A49A37EEFCAAE3B9E008857AB774EECA84B1AEEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:36.855{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27FBFE9183F15FD49A757E1C32408701,SHA256=E703877EF6510C111B819323D1D26DB8A1D1C4FBDEEBF0BFD02BA7BDF351ED44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:36.199{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE62869F89CAB5D3D8B4E02DF208B326,SHA256=A5C76CAA80335A651243CC633AB5F4C89E409AA35BD6C92A1E56A970162AFE48,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000080865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:34.834{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49529-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000080867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:37.878{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E57F82AA29674968A3D1003498FFFC4,SHA256=649C0B84D0F7B2BCA717FB64D475B58E37F29DC19396ECDA475A0C4A719134E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:37.281{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BB58AD8916CB5CFD2FC0C450F55780E,SHA256=363768325EC6DFCFD5FE7D829795134F3EEC8487F9FCE76239F2D0F934779488,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:38.899{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=312D34EE1934792F8CF8D9D309322F65,SHA256=D30CA9B8A2E0387E175CC448D4442846B7ED0E93F4FE28C898547C7872BE03A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:38.387{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A539C36D79BE0A62E2F8ACA4CCA3A92,SHA256=50068D39C24D94EC26B77E7CDF5897704A071E9B07399A0A33EE454A7E121E84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:39.912{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B82B843175D6EB49EF415C424BD462FC,SHA256=6886272DCB73F88F298F8E7B56797F12B3AB6EB877F15E3FC254899FFF48F9AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000036995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:39.488{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41656A5A2B00A3628DB68E5DEF49490C,SHA256=959359BEF68C326E0D62CAA498D6DE348FBE3DC366A68DEAF83C00D650202ECA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000036994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:35.928{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50587-false10.0.1.12-8000- 10341000x800000000000000080881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:40.985{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1400-00000000BA02}344C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000080880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:40.978{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1300-00000000BA02}364C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000080879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:40.963{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1200-00000000BA02}408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000080878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:40.949{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1100-00000000BA02}704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 23542300x800000000000000080877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:40.935{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10278410D76DE39D91D64A15032C01FF,SHA256=3E7E0C3C87FABD66C26E575FAADEDDAFB831A319948F651E9B707125ABF029F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:40.916{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1000-00000000BA02}444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000037009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:40.991{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1600-00000000BB02}1192C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000037008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:40.960{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1500-00000000BB02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000037007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:40.955{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1400-00000000BB02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000037006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:40.949{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1300-00000000BB02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000037005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:40.943{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1200-00000000BB02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000037004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:40.936{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1100-00000000BB02}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000037003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:40.926{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1000-00000000BB02}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000037002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:40.913{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0F00-00000000BB02}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000037001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:40.905{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0E00-00000000BB02}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000037000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:40.899{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0D00-00000000BB02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000036999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:40.892{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000036998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:40.885{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0B00-00000000BB02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000036997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:40.883{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0900-00000000BB02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x800000000000000036996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:40.590{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A86A196BAD0AE15C721826283D319963,SHA256=E1A86025A7F98746936E8B81D1EEB29CC5E40F778FC144389E5DF2F7752DC2EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:40.901{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0F00-00000000BA02}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000080874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:40.889{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0E00-00000000BA02}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000080873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:40.878{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0D00-00000000BA02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000080872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:40.868{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0C00-00000000BA02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000080871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:40.809{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000080870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:40.808{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0900-00000000BA02}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 23542300x800000000000000080896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:41.956{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=966A4A81581DC4C9869BD14B92DC7315,SHA256=724AEDEB258B50EF4D0F3C15B932360603ECD9FFD11F0E0F8BEA0836D0B62E62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:41.860{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCF6C9DCFF41B6F4E5142DA2CE5B854E,SHA256=88EDC27534598AFAAC83B2C3A52A401B079726C3D7C494EEAF6024E93BBAD8B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:41.702{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2E00-00000000BA02}2692C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000080894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:41.698{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000080893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:41.693{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2B00-00000000BA02}2664C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000080892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:41.118{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000080891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:41.110{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000080890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:41.097{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000080889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:41.083{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2700-00000000BA02}2576C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000080888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:41.080{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2600-00000000BA02}2568C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000080887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:41.068{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2500-00000000BA02}2484C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000080886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:41.060{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED14-63D0-2300-00000000BA02}2340C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000080885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:41.056{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1800-00000000BA02}1992C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000080884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:41.051{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1700-00000000BA02}1492C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000080883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:41.042{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1600-00000000BA02}1324C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000080882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:41.003{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1500-00000000BA02}1152C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000037025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:41.052{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FB5F-63D0-3102-00000000BB02}3068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000037024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:41.048{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED83-63D0-8200-00000000BB02}508C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000037023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:41.044{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED1B-63D0-6D00-00000000BB02}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000037022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:41.041{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000037021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:41.041{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-4000-00000000BB02}1980C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000037020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:41.038{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-3C00-00000000BB02}2964C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000037019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:41.037{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2B00-00000000BB02}2876C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000037018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:41.036{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2600-00000000BB02}2596C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000037017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:41.034{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2500-00000000BB02}2436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000037016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:41.031{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2200-00000000BB02}1172C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000037015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:41.027{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000037014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:41.014{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000037013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:41.012{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1C00-00000000BB02}1892C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000037012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:41.011{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1A00-00000000BB02}1856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000037011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:41.004{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1800-00000000BB02}1732C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000037010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:41.002{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1700-00000000BB02}1240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x800000000000000037027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:42.888{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FBF480E799465322449B8987114AAA2,SHA256=2E0741F4A1507A134DFA00019FAEE7B76CF6C77E4312A3D1A332B0842E44BA71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:42.967{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BC5480F72132D81D6B829396F941BC3,SHA256=805996C3CCEF93032FC079253667B8D3263219928B347A322AE924371B6D3E5C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:42.753{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FE7E-63D0-DA03-00000000BA02}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:42.748{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:42.748{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:42.748{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:42.748{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:42.748{45AAC21C-ED08-63D0-0500-00000000BA02}420780C:\Windows\system32\csrss.exe{45AAC21C-FE7E-63D0-DA03-00000000BA02}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000080899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:42.748{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FE7E-63D0-DA03-00000000BA02}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000080898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:42.749{45AAC21C-FE7E-63D0-DA03-00000000BA02}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000080897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:40.735{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49530-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000037028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:43.981{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D1CB10F6E8196A6707AEF2A418A5956,SHA256=58DCC046CCD2F63614CCDA9DD9A3F3B1BF79476ED03FBA4527CF60D2B1C23E8F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:43.900{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FE7F-63D0-DC03-00000000BA02}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:43.895{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:43.895{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:43.895{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:43.895{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:43.895{45AAC21C-ED08-63D0-0500-00000000BA02}420436C:\Windows\system32\csrss.exe{45AAC21C-FE7F-63D0-DC03-00000000BA02}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000080923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:43.895{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FE7F-63D0-DC03-00000000BA02}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000080922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:43.897{45AAC21C-FE7F-63D0-DC03-00000000BA02}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000080921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:43.769{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA667243D9BE2B27C6C7E4B3CCD9754A,SHA256=327242FEA91CDCF3636E3D374AAFDF665BE2F8AF5F791658DB1B4E71418C6768,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:43.716{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3300-00000000BA02}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000080919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:43.715{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3100-00000000BA02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000080918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:43.712{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2F00-00000000BA02}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 23542300x800000000000000080917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:43.671{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=12FD3C7F3AE1B4E9F57B2D6CEDD0A1AD,SHA256=F5102D9B801611FDD3689C0720A7EA05291EB4B2107F9CA0B9089354754BE649,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:43.602{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED5C-63D0-A400-00000000BA02}5320C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:43.569{45AAC21C-FE7F-63D0-DB03-00000000BA02}28407752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:43.365{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FE7F-63D0-DB03-00000000BA02}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:43.363{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:43.363{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:43.362{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:43.362{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:43.362{45AAC21C-ED08-63D0-0500-00000000BA02}420436C:\Windows\system32\csrss.exe{45AAC21C-FE7F-63D0-DB03-00000000BA02}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000080908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:43.362{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FE7F-63D0-DB03-00000000BA02}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000080907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:43.361{45AAC21C-FE7F-63D0-DB03-00000000BA02}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000037029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:41.116{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50588-false10.0.1.12-8000- 10341000x800000000000000080965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:44.553{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000080964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:44.544{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE59-63D0-D803-00000000BA02}8160C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000080963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:44.541{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE39-63D0-D003-00000000BA02}4868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000080962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:44.537{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE36-63D0-CF03-00000000BA02}6108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000080961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:44.528{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE36-63D0-CE03-00000000BA02}3640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000080960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:44.524{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99E-63D0-4403-00000000BA02}4716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000080959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:44.520{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4303-00000000BA02}220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000080958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:44.518{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F993-63D0-3A03-00000000BA02}5848C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000080957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:44.512{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3403-00000000BA02}8152C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 23542300x800000000000000080956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:44.508{45AAC21C-ED18-63D0-2C00-00000000BA02}2672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=2C4C8D76439156E79A1918BBE520F9FE,SHA256=EC85358BBC9E7F00CCCEC1A6D87D38B7BE22C7B54802029F71075467174A7C77,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:44.508{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3303-00000000BA02}5868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000080954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:44.503{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3203-00000000BA02}1380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000080953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:44.489{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3103-00000000BA02}7700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000080952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:44.430{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000080951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:44.393{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000080950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:44.391{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A202-00000000BA02}5720C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000080949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:44.388{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A102-00000000BA02}7492C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000080948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:44.369{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F3FF-63D0-5202-00000000BA02}7716C:\Program Files\Process Hacker 2\ProcessHacker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000080947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:44.360{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED93-63D0-C200-00000000BA02}5684C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000080946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:44.319{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000080945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:44.307{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000080944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:44.267{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000080943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:44.258{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-8E00-00000000BA02}432C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000080942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:44.243{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4D-63D0-8900-00000000BA02}4888C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000080941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:44.237{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED36-63D0-8100-00000000BA02}4176C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000080940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:44.235{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED35-63D0-7F00-00000000BA02}3432C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000080939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:44.230{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED2C-63D0-7B00-00000000BA02}532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000080938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:44.227{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000080937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:44.227{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1B-63D0-4500-00000000BA02}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000080936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:44.222{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-4100-00000000BA02}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000080935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:44.221{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-3800-00000000BA02}3276C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000080934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:44.070{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FE7F-63D0-DC03-00000000BA02}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:44.070{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FE7F-63D0-DC03-00000000BA02}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:44.070{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FE7F-63D0-DC03-00000000BA02}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:44.070{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FE7F-63D0-DC03-00000000BA02}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000080930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:44.004{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25C65F2396B67D8CE778625CDB7B99C6,SHA256=3093DF99F1C12F32396A028136BC118D53413997F83DB2CA3A5406630CA30971,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000080968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:43.722{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local49531-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x800000000000000080967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:43.722{45AAC21C-ED18-63D0-2700-00000000BA02}2576C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local49531-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 23542300x800000000000000080966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:45.082{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2204569C6157BC61293C9712323398C9,SHA256=F3FAE5DF8E8BFB464990A7F436BF58DBA279F5D9797102697015A4B03882EDE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:45.073{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26F2B5DC443E35AAA73B6BEBD4FDF2F1,SHA256=0E14B5F46F95025D718B4CB45CCAF36B0326E336713CA0D1720E1B99925F9B76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:46.154{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B83839D7707EB81975EC0F6F9D91915A,SHA256=10A3F0F8A0651CBB1617411B39B8E4661B72CCE480DC2B8792556963D80972F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:46.976{45AAC21C-FE6D-63D0-D903-00000000BA02}48167848C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED0A-63D0-0E00-00000000BA02}1008C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000053547BE)|UNKNOWN(00000000053545AB)|UNKNOWN(000000000535320C)|UNKNOWN(0000000005351C4E)|UNKNOWN(000000000535166F)|UNKNOWN(00000000051DF8E5)|UNKNOWN(0000000004FC2006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000081009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:46.976{45AAC21C-FE6D-63D0-D903-00000000BA02}48167848C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000053547BE)|UNKNOWN(00000000053545AB)|UNKNOWN(000000000535320C)|UNKNOWN(0000000005351C4E)|UNKNOWN(000000000535166F)|UNKNOWN(00000000051DF8E5)|UNKNOWN(0000000004FC2006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000081008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:46.976{45AAC21C-FE6D-63D0-D903-00000000BA02}48167848C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED0B-63D0-1700-00000000BA02}1492C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000053547BE)|UNKNOWN(00000000053545AB)|UNKNOWN(000000000535320C)|UNKNOWN(0000000005351C4E)|UNKNOWN(000000000535166F)|UNKNOWN(00000000051DF8E5)|UNKNOWN(0000000004FC2006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000081007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:46.955{45AAC21C-FE6D-63D0-D903-00000000BA02}48167848C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED0A-63D0-0D00-00000000BA02}904C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000053547BE)|UNKNOWN(00000000053545AB)|UNKNOWN(000000000535320C)|UNKNOWN(0000000005351C4E)|UNKNOWN(000000000535166F)|UNKNOWN(00000000051DF8E5)|UNKNOWN(0000000004FC2006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000081006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:46.955{45AAC21C-FE6D-63D0-D903-00000000BA02}48167848C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000053547BE)|UNKNOWN(00000000053545AB)|UNKNOWN(000000000535320C)|UNKNOWN(0000000005351C4E)|UNKNOWN(000000000535166F)|UNKNOWN(00000000051DF8E5)|UNKNOWN(0000000004FC2006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000081005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:46.955{45AAC21C-FE6D-63D0-D903-00000000BA02}48167848C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED1A-63D0-3800-00000000BA02}3276C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000053547BE)|UNKNOWN(00000000053545AB)|UNKNOWN(000000000535320C)|UNKNOWN(0000000005351C4E)|UNKNOWN(000000000535166F)|UNKNOWN(00000000051DF8E5)|UNKNOWN(0000000004FC2006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000081004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:46.955{45AAC21C-FE6D-63D0-D903-00000000BA02}48167848C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED18-63D0-2500-00000000BA02}2484C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000053547BE)|UNKNOWN(00000000053545AB)|UNKNOWN(000000000535320C)|UNKNOWN(0000000005351C4E)|UNKNOWN(000000000535166F)|UNKNOWN(00000000051DF8E5)|UNKNOWN(0000000004FC2006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000081003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:46.940{45AAC21C-FE6D-63D0-D903-00000000BA02}48167848C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED19-63D0-3100-00000000BA02}3024C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000053547BE)|UNKNOWN(00000000053545AB)|UNKNOWN(000000000535320C)|UNKNOWN(0000000005351C4E)|UNKNOWN(000000000535166F)|UNKNOWN(00000000051DF8E5)|UNKNOWN(0000000004FC2006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000081002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:46.924{45AAC21C-FE6D-63D0-D903-00000000BA02}48167848C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000053547BE)|UNKNOWN(00000000053545AB)|UNKNOWN(000000000535320C)|UNKNOWN(0000000005351C4E)|UNKNOWN(000000000535166F)|UNKNOWN(00000000051DF8E5)|UNKNOWN(0000000004FC2006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000081001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:46.924{45AAC21C-FE6D-63D0-D903-00000000BA02}48167848C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED18-63D0-2E00-00000000BA02}2692C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000053547BE)|UNKNOWN(00000000053545AB)|UNKNOWN(000000000535320C)|UNKNOWN(0000000005351C4E)|UNKNOWN(000000000535166F)|UNKNOWN(00000000051DF8E5)|UNKNOWN(0000000004FC2006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000081000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:46.908{45AAC21C-FE6D-63D0-D903-00000000BA02}48167848C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-F993-63D0-3A03-00000000BA02}5848C:\Windows\system32\wbem\wmiprvse.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000053547BE)|UNKNOWN(00000000053545AB)|UNKNOWN(000000000535320C)|UNKNOWN(0000000005351C4E)|UNKNOWN(000000000535166F)|UNKNOWN(00000000051DF8E5)|UNKNOWN(0000000004FC2006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000080999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:46.892{45AAC21C-FE6D-63D0-D903-00000000BA02}48167848C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED2C-63D0-7B00-00000000BA02}532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000053547BE)|UNKNOWN(00000000053545AB)|UNKNOWN(000000000535320C)|UNKNOWN(0000000005351C4E)|UNKNOWN(000000000535166F)|UNKNOWN(00000000051DF8E5)|UNKNOWN(0000000004FC2006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000080998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:46.892{45AAC21C-FE6D-63D0-D903-00000000BA02}48167848C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED18-63D0-2F00-00000000BA02}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000053547BE)|UNKNOWN(00000000053545AB)|UNKNOWN(000000000535320C)|UNKNOWN(0000000005351C4E)|UNKNOWN(000000000535166F)|UNKNOWN(00000000051DF8E5)|UNKNOWN(0000000004FC2006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000080997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:46.875{45AAC21C-FE6D-63D0-D903-00000000BA02}48167848C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-FE39-63D0-D003-00000000BA02}4868C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000053547BE)|UNKNOWN(00000000053545AB)|UNKNOWN(000000000535320C)|UNKNOWN(0000000005351C4E)|UNKNOWN(000000000535166F)|UNKNOWN(00000000051DF8E5)|UNKNOWN(0000000004FC2006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000080996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:46.875{45AAC21C-FE6D-63D0-D903-00000000BA02}48167848C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED0B-63D0-1600-00000000BA02}1324C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000053547BE)|UNKNOWN(00000000053545AB)|UNKNOWN(000000000535320C)|UNKNOWN(0000000005351C4E)|UNKNOWN(000000000535166F)|UNKNOWN(00000000051DF8E5)|UNKNOWN(0000000004FC2006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000080995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:46.875{45AAC21C-FE6D-63D0-D903-00000000BA02}48167848C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED0A-63D0-1400-00000000BA02}344C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000053547BE)|UNKNOWN(00000000053545AB)|UNKNOWN(000000000535320C)|UNKNOWN(0000000005351C4E)|UNKNOWN(000000000535166F)|UNKNOWN(00000000051DF8E5)|UNKNOWN(0000000004FC2006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000080994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:46.875{45AAC21C-FE6D-63D0-D903-00000000BA02}48167848C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000053547BE)|UNKNOWN(00000000053545AB)|UNKNOWN(000000000535320C)|UNKNOWN(0000000005351C4E)|UNKNOWN(000000000535166F)|UNKNOWN(00000000051DF8E5)|UNKNOWN(0000000004FC2006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000080993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:46.871{45AAC21C-FE6D-63D0-D903-00000000BA02}48167848C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-F98F-63D0-3303-00000000BA02}5868C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000053547BE)|UNKNOWN(00000000053545AB)|UNKNOWN(000000000535320C)|UNKNOWN(0000000005351C4E)|UNKNOWN(000000000535166F)|UNKNOWN(00000000051DF8E5)|UNKNOWN(0000000004FC2006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000080992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:46.855{45AAC21C-FE6D-63D0-D903-00000000BA02}48167848C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED4D-63D0-8900-00000000BA02}4888C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000053547BE)|UNKNOWN(00000000053545AB)|UNKNOWN(000000000535320C)|UNKNOWN(0000000005351C4E)|UNKNOWN(000000000535166F)|UNKNOWN(00000000051DF8E5)|UNKNOWN(0000000004FC2006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000080991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:46.855{45AAC21C-FE6D-63D0-D903-00000000BA02}48167848C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED0A-63D0-1300-00000000BA02}364C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000053547BE)|UNKNOWN(00000000053545AB)|UNKNOWN(000000000535320C)|UNKNOWN(0000000005351C4E)|UNKNOWN(000000000535166F)|UNKNOWN(00000000051DF8E5)|UNKNOWN(0000000004FC2006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000080990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:46.855{45AAC21C-FE6D-63D0-D903-00000000BA02}48167848C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED93-63D0-C200-00000000BA02}5684C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000053547BE)|UNKNOWN(00000000053545AB)|UNKNOWN(000000000535320C)|UNKNOWN(0000000005351C4E)|UNKNOWN(000000000535166F)|UNKNOWN(00000000051DF8E5)|UNKNOWN(0000000004FC2006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000080989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:46.839{45AAC21C-FE6D-63D0-D903-00000000BA02}48167848C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-F99D-63D0-4303-00000000BA02}220C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000053547BE)|UNKNOWN(00000000053545AB)|UNKNOWN(000000000535320C)|UNKNOWN(0000000005351C4E)|UNKNOWN(000000000535166F)|UNKNOWN(00000000051DF8E5)|UNKNOWN(0000000004FC2006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000080988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:46.839{45AAC21C-FE6D-63D0-D903-00000000BA02}48167848C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000053547BE)|UNKNOWN(00000000053545AB)|UNKNOWN(000000000535320C)|UNKNOWN(0000000005351C4E)|UNKNOWN(000000000535166F)|UNKNOWN(00000000051DF8E5)|UNKNOWN(0000000004FC2006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000080987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:46.839{45AAC21C-FE6D-63D0-D903-00000000BA02}48167848C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED14-63D0-2300-00000000BA02}2340C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000053547BE)|UNKNOWN(00000000053545AB)|UNKNOWN(000000000535320C)|UNKNOWN(0000000005351C4E)|UNKNOWN(000000000535166F)|UNKNOWN(00000000051DF8E5)|UNKNOWN(0000000004FC2006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000080986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:46.823{45AAC21C-FE6D-63D0-D903-00000000BA02}48167848C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED08-63D0-0900-00000000BA02}576C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000053547BE)|UNKNOWN(00000000053545AB)|UNKNOWN(000000000535320C)|UNKNOWN(0000000005351C4E)|UNKNOWN(000000000535166F)|UNKNOWN(00000000051DF8E5)|UNKNOWN(0000000004FC2006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000080985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:46.823{45AAC21C-FE6D-63D0-D903-00000000BA02}48167848C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED1A-63D0-4100-00000000BA02}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000053547BE)|UNKNOWN(00000000053545AB)|UNKNOWN(000000000535320C)|UNKNOWN(0000000005351C4E)|UNKNOWN(000000000535166F)|UNKNOWN(00000000051DF8E5)|UNKNOWN(0000000004FC2006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000080984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:46.823{45AAC21C-FE6D-63D0-D903-00000000BA02}48167848C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-F99E-63D0-4403-00000000BA02}4716C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000053547BE)|UNKNOWN(00000000053545AB)|UNKNOWN(000000000535320C)|UNKNOWN(0000000005351C4E)|UNKNOWN(000000000535166F)|UNKNOWN(00000000051DF8E5)|UNKNOWN(0000000004FC2006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000080983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:46.749{45AAC21C-FE6D-63D0-D903-00000000BA02}48167848C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-FE36-63D0-CF03-00000000BA02}6108C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000053547BE)|UNKNOWN(00000000053545AB)|UNKNOWN(000000000535320C)|UNKNOWN(0000000005351C4E)|UNKNOWN(000000000535166F)|UNKNOWN(00000000051DF8E5)|UNKNOWN(0000000004FC2006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000080982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:46.749{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000080981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:46.733{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:46.717{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000080979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:46.717{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000080978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:46.484{45AAC21C-FE82-63D0-DD03-00000000BA02}30646396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:46.261{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FE82-63D0-DD03-00000000BA02}3064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:46.256{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:46.256{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:46.256{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:46.256{45AAC21C-ED08-63D0-0500-00000000BA02}420788C:\Windows\system32\csrss.exe{45AAC21C-FE82-63D0-DD03-00000000BA02}3064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000080972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:46.256{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000080971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:46.256{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FE82-63D0-DD03-00000000BA02}3064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000080970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:46.257{45AAC21C-FE82-63D0-DD03-00000000BA02}3064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000080969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:46.152{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB30E93CEA8F67F0089882BFF094BBE2,SHA256=91A0320B24ED79D9FFBEDAF4589DC06F4AD2B12FB3AF43422805D7FE9B828361,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:47.232{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE0590D53BB4CE11DBE89967F133CC91,SHA256=B6D2224C38EBED0B901EDDCB5B408FD799B6F0457723F3F4C9875CB81749AD1D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:47.993{45AAC21C-FE83-63D0-DF03-00000000BA02}58445940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:47.759{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FE83-63D0-DF03-00000000BA02}5844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:47.758{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:47.757{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:47.756{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:47.756{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:47.755{45AAC21C-ED08-63D0-0500-00000000BA02}420436C:\Windows\system32\csrss.exe{45AAC21C-FE83-63D0-DF03-00000000BA02}5844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000081054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:47.755{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FE83-63D0-DF03-00000000BA02}5844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000081053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:47.754{45AAC21C-FE83-63D0-DF03-00000000BA02}5844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000081052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:45.784{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49532-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000081051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:47.392{45AAC21C-FE83-63D0-DE03-00000000BA02}57325332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000081050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:47.224{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E6635F34A6D3297C32C023EAF7D4A44,SHA256=4F073D1FB06D681A562F3BC4BC89DC164C746480434B50A8FFAC9CD655816179,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:47.208{45AAC21C-FE6D-63D0-D903-00000000BA02}48167848C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-F98E-63D0-3203-00000000BA02}1380C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000053547BE)|UNKNOWN(00000000053545AB)|UNKNOWN(000000000535320C)|UNKNOWN(0000000005351C4E)|UNKNOWN(000000000535166F)|UNKNOWN(00000000051DF8E5)|UNKNOWN(0000000004FC2006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000081048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:47.192{45AAC21C-FE6D-63D0-D903-00000000BA02}48167848C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-F532-63D0-A102-00000000BA02}7492C:\Program Files\Far Manager\Far.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000053547BE)|UNKNOWN(00000000053545AB)|UNKNOWN(000000000535320C)|UNKNOWN(0000000005351C4E)|UNKNOWN(000000000535166F)|UNKNOWN(00000000051DF8E5)|UNKNOWN(0000000004FC2006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000081047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:47.192{45AAC21C-FE6D-63D0-D903-00000000BA02}48167848C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-F532-63D0-A202-00000000BA02}5720C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000053547BE)|UNKNOWN(00000000053545AB)|UNKNOWN(000000000535320C)|UNKNOWN(0000000005351C4E)|UNKNOWN(000000000535166F)|UNKNOWN(00000000051DF8E5)|UNKNOWN(0000000004FC2006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000081046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:47.190{45AAC21C-FE6D-63D0-D903-00000000BA02}48167848C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED0A-63D0-1200-00000000BA02}408C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000053547BE)|UNKNOWN(00000000053545AB)|UNKNOWN(000000000535320C)|UNKNOWN(0000000005351C4E)|UNKNOWN(000000000535166F)|UNKNOWN(00000000051DF8E5)|UNKNOWN(0000000004FC2006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000081045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:47.175{45AAC21C-FE6D-63D0-D903-00000000BA02}48167848C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED18-63D0-2700-00000000BA02}2576C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000053547BE)|UNKNOWN(00000000053545AB)|UNKNOWN(000000000535320C)|UNKNOWN(0000000005351C4E)|UNKNOWN(000000000535166F)|UNKNOWN(00000000051DF8E5)|UNKNOWN(0000000004FC2006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000081044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:47.175{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FE83-63D0-DE03-00000000BA02}5732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:47.175{45AAC21C-FE6D-63D0-D903-00000000BA02}48167848C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-F98E-63D0-3103-00000000BA02}7700C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000053547BE)|UNKNOWN(00000000053545AB)|UNKNOWN(000000000535320C)|UNKNOWN(0000000005351C4E)|UNKNOWN(000000000535166F)|UNKNOWN(00000000051DF8E5)|UNKNOWN(0000000004FC2006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000081042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:47.175{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:47.175{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:47.175{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:47.175{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:47.175{45AAC21C-ED08-63D0-0500-00000000BA02}420780C:\Windows\system32\csrss.exe{45AAC21C-FE83-63D0-DE03-00000000BA02}5732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000081037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:47.175{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FE83-63D0-DE03-00000000BA02}5732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000081036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:47.174{45AAC21C-FE83-63D0-DE03-00000000BA02}5732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:47.173{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F590FDC26B2FA160C7A6F2337176F0D,SHA256=26829F8A4F1FF75EF634CBFDCAADB2434E0523A380286841B150F9CB7F1A9E6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:47.172{45AAC21C-FE6D-63D0-D903-00000000BA02}48167848C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED0B-63D0-1800-00000000BA02}1992C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000053547BE)|UNKNOWN(00000000053545AB)|UNKNOWN(000000000535320C)|UNKNOWN(0000000005351C4E)|UNKNOWN(000000000535166F)|UNKNOWN(00000000051DF8E5)|UNKNOWN(0000000004FC2006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000081033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:47.155{45AAC21C-FE6D-63D0-D903-00000000BA02}48167848C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000053547BE)|UNKNOWN(00000000053545AB)|UNKNOWN(000000000535320C)|UNKNOWN(0000000005351C4E)|UNKNOWN(000000000535166F)|UNKNOWN(00000000051DF8E5)|UNKNOWN(0000000004FC2006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000081032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:47.139{45AAC21C-FE6D-63D0-D903-00000000BA02}48167848C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-F98F-63D0-3403-00000000BA02}8152C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000053547BE)|UNKNOWN(00000000053545AB)|UNKNOWN(000000000535320C)|UNKNOWN(0000000005351C4E)|UNKNOWN(000000000535166F)|UNKNOWN(00000000051DF8E5)|UNKNOWN(0000000004FC2006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000081031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:47.139{45AAC21C-FE6D-63D0-D903-00000000BA02}48167848C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-F3FF-63D0-5202-00000000BA02}7716C:\Program Files\Process Hacker 2\ProcessHacker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000053547BE)|UNKNOWN(00000000053545AB)|UNKNOWN(000000000535320C)|UNKNOWN(0000000005351C4E)|UNKNOWN(000000000535166F)|UNKNOWN(00000000051DF8E5)|UNKNOWN(0000000004FC2006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000081030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:47.139{45AAC21C-FE6D-63D0-D903-00000000BA02}48167848C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000053547BE)|UNKNOWN(00000000053545AB)|UNKNOWN(000000000535320C)|UNKNOWN(0000000005351C4E)|UNKNOWN(000000000535166F)|UNKNOWN(00000000051DF8E5)|UNKNOWN(0000000004FC2006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000081029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:47.124{45AAC21C-FE6D-63D0-D903-00000000BA02}48167848C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED4E-63D0-8E00-00000000BA02}432C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000053547BE)|UNKNOWN(00000000053545AB)|UNKNOWN(000000000535320C)|UNKNOWN(0000000005351C4E)|UNKNOWN(000000000535166F)|UNKNOWN(00000000051DF8E5)|UNKNOWN(0000000004FC2006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000081028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:47.124{45AAC21C-FE6D-63D0-D903-00000000BA02}48167848C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED36-63D0-8100-00000000BA02}4176C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000053547BE)|UNKNOWN(00000000053545AB)|UNKNOWN(000000000535320C)|UNKNOWN(0000000005351C4E)|UNKNOWN(000000000535166F)|UNKNOWN(00000000051DF8E5)|UNKNOWN(0000000004FC2006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000081027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:47.108{45AAC21C-FE6D-63D0-D903-00000000BA02}48167848C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000053547BE)|UNKNOWN(00000000053545AB)|UNKNOWN(000000000535320C)|UNKNOWN(0000000005351C4E)|UNKNOWN(000000000535166F)|UNKNOWN(00000000051DF8E5)|UNKNOWN(0000000004FC2006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000081026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:47.108{45AAC21C-FE6D-63D0-D903-00000000BA02}48167848C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED0A-63D0-1000-00000000BA02}444C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000053547BE)|UNKNOWN(00000000053545AB)|UNKNOWN(000000000535320C)|UNKNOWN(0000000005351C4E)|UNKNOWN(000000000535166F)|UNKNOWN(00000000051DF8E5)|UNKNOWN(0000000004FC2006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000081025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:47.092{45AAC21C-FE6D-63D0-D903-00000000BA02}48167848C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED5C-63D0-A400-00000000BA02}5320C:\Program Files\Aurora-Agent\aurora-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000053547BE)|UNKNOWN(00000000053545AB)|UNKNOWN(000000000535320C)|UNKNOWN(0000000005351C4E)|UNKNOWN(000000000535166F)|UNKNOWN(00000000051DF8E5)|UNKNOWN(0000000004FC2006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000081024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:47.092{45AAC21C-FE6D-63D0-D903-00000000BA02}48167848C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED0A-63D0-0C00-00000000BA02}848C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000053547BE)|UNKNOWN(00000000053545AB)|UNKNOWN(000000000535320C)|UNKNOWN(0000000005351C4E)|UNKNOWN(000000000535166F)|UNKNOWN(00000000051DF8E5)|UNKNOWN(0000000004FC2006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000081023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:47.092{45AAC21C-FE6D-63D0-D903-00000000BA02}48167848C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-FE59-63D0-D803-00000000BA02}8160C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000053547BE)|UNKNOWN(00000000053545AB)|UNKNOWN(000000000535320C)|UNKNOWN(0000000005351C4E)|UNKNOWN(000000000535166F)|UNKNOWN(00000000051DF8E5)|UNKNOWN(0000000004FC2006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000081022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:47.075{45AAC21C-FE6D-63D0-D903-00000000BA02}48167848C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED18-63D0-2600-00000000BA02}2568C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000053547BE)|UNKNOWN(00000000053545AB)|UNKNOWN(000000000535320C)|UNKNOWN(0000000005351C4E)|UNKNOWN(000000000535166F)|UNKNOWN(00000000051DF8E5)|UNKNOWN(0000000004FC2006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000081021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:47.075{45AAC21C-FE6D-63D0-D903-00000000BA02}48167848C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED0A-63D0-1100-00000000BA02}704C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000053547BE)|UNKNOWN(00000000053545AB)|UNKNOWN(000000000535320C)|UNKNOWN(0000000005351C4E)|UNKNOWN(000000000535166F)|UNKNOWN(00000000051DF8E5)|UNKNOWN(0000000004FC2006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000081020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:47.075{45AAC21C-FE6D-63D0-D903-00000000BA02}48167848C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000053547BE)|UNKNOWN(00000000053545AB)|UNKNOWN(000000000535320C)|UNKNOWN(0000000005351C4E)|UNKNOWN(000000000535166F)|UNKNOWN(00000000051DF8E5)|UNKNOWN(0000000004FC2006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000081019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:47.075{45AAC21C-FE6D-63D0-D903-00000000BA02}48167848C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED19-63D0-3300-00000000BA02}2444C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000053547BE)|UNKNOWN(00000000053545AB)|UNKNOWN(000000000535320C)|UNKNOWN(0000000005351C4E)|UNKNOWN(000000000535166F)|UNKNOWN(00000000051DF8E5)|UNKNOWN(0000000004FC2006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000081018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:47.056{45AAC21C-FE6D-63D0-D903-00000000BA02}48167848C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED35-63D0-7F00-00000000BA02}3432C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000053547BE)|UNKNOWN(00000000053545AB)|UNKNOWN(000000000535320C)|UNKNOWN(0000000005351C4E)|UNKNOWN(000000000535166F)|UNKNOWN(00000000051DF8E5)|UNKNOWN(0000000004FC2006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000081017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:47.056{45AAC21C-FE6D-63D0-D903-00000000BA02}48167848C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED1B-63D0-4500-00000000BA02}3632C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000053547BE)|UNKNOWN(00000000053545AB)|UNKNOWN(000000000535320C)|UNKNOWN(0000000005351C4E)|UNKNOWN(000000000535166F)|UNKNOWN(00000000051DF8E5)|UNKNOWN(0000000004FC2006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000081016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:47.040{45AAC21C-FE6D-63D0-D903-00000000BA02}48167848C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000053547BE)|UNKNOWN(00000000053545AB)|UNKNOWN(000000000535320C)|UNKNOWN(0000000005351C4E)|UNKNOWN(000000000535166F)|UNKNOWN(00000000051DF8E5)|UNKNOWN(0000000004FC2006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000081015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:47.040{45AAC21C-FE6D-63D0-D903-00000000BA02}48167848C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-FE36-63D0-CE03-00000000BA02}3640C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000053547BE)|UNKNOWN(00000000053545AB)|UNKNOWN(000000000535320C)|UNKNOWN(0000000005351C4E)|UNKNOWN(000000000535166F)|UNKNOWN(00000000051DF8E5)|UNKNOWN(0000000004FC2006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000081014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:47.040{45AAC21C-FE6D-63D0-D903-00000000BA02}48167848C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED0A-63D0-1500-00000000BA02}1152C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000053547BE)|UNKNOWN(00000000053545AB)|UNKNOWN(000000000535320C)|UNKNOWN(0000000005351C4E)|UNKNOWN(000000000535166F)|UNKNOWN(00000000051DF8E5)|UNKNOWN(0000000004FC2006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000081013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:47.025{45AAC21C-FE6D-63D0-D903-00000000BA02}48167848C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED0A-63D0-0F00-00000000BA02}96C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000053547BE)|UNKNOWN(00000000053545AB)|UNKNOWN(000000000535320C)|UNKNOWN(0000000005351C4E)|UNKNOWN(000000000535166F)|UNKNOWN(00000000051DF8E5)|UNKNOWN(0000000004FC2006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000081012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:47.025{45AAC21C-FE6D-63D0-D903-00000000BA02}48167848C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED18-63D0-2B00-00000000BA02}2664C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000053547BE)|UNKNOWN(00000000053545AB)|UNKNOWN(000000000535320C)|UNKNOWN(0000000005351C4E)|UNKNOWN(000000000535166F)|UNKNOWN(00000000051DF8E5)|UNKNOWN(0000000004FC2006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 10341000x800000000000000081011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:47.009{45AAC21C-FE6D-63D0-D903-00000000BA02}48167848C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|UNKNOWN(00000000053547BE)|UNKNOWN(00000000053545AB)|UNKNOWN(000000000535320C)|UNKNOWN(0000000005351C4E)|UNKNOWN(000000000535166F)|UNKNOWN(00000000051DF8E5)|UNKNOWN(0000000004FC2006)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+10556(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1373a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+19adb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+14681b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146efa(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+146e27(wow64) 23542300x800000000000000037033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:48.323{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A209639CB11B9E1B2AB7CFED841043E,SHA256=0D818EDE679167BDBD1BBA3E13B3DB7B49FE346AF4EF378F4CB5D42BBB632537,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:48.991{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:48.975{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000081066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:48.875{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F9AAC623D9AE59163FCDEA401EFC03A,SHA256=BDD71F2A88F3E6552F3D058F4C82943050D85E7D4CA1EE12EEE7DBE701C1EBAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:48.763{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=F6ABF24BA790E2BADFAD097283C0E24D,SHA256=87AB30745DBEF837C8286721F1DE4A67F6D5C646B3E009BB27357B93C2DF8EFF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:48.391{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:48.391{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000081062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:48.283{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6DFF2FDFCD74A99C88B4B8E9C4D7380,SHA256=9E819C8694A20298BEA53CE5190E1CD0686AA2E33A258E405978AF98BF62C968,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:49.409{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47BBA7BC719779CFC5E740F1741D756C,SHA256=2297624EDC9E3C39D870FA63AE5BC7D9329BCACAFF6186C614A1D49E73CAE78B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:49.910{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FE85-63D0-E003-00000000BA02}5092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:49.910{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:49.910{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:49.910{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:49.910{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:49.910{45AAC21C-ED08-63D0-0500-00000000BA02}420536C:\Windows\system32\csrss.exe{45AAC21C-FE85-63D0-E003-00000000BA02}5092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000081071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:49.910{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FE85-63D0-E003-00000000BA02}5092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000081070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:49.911{45AAC21C-FE85-63D0-E003-00000000BA02}5092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:49.375{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=860B0DCC63A60872292B016412084442,SHA256=2A79FF0DA753BDF76E548B4E89D3F3A31374444A8B954C5107A26D2A325C114B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:50.514{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4A4A06B5F6F402879BA12688DE6B7EE,SHA256=B2F734D9C2EBCB9BA3B76DD68B14BB92B5D8E9F6638C6AFDD15CE1ECFD698A8A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:47.125{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50589-false10.0.1.12-8000- 10341000x800000000000000081084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:50.694{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:50.694{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000081082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:50.441{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11D13FE03629C4480B4E788D67557612,SHA256=9EAB8F46DA4F8F48982B63215C0A4693BC5B437A38F8F389A7E8D731BBFF8F20,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:50.077{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FE85-63D0-E003-00000000BA02}5092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:50.077{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FE85-63D0-E003-00000000BA02}5092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:50.077{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FE85-63D0-E003-00000000BA02}5092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:50.077{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FE85-63D0-E003-00000000BA02}5092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000037037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:51.576{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A2558F94E32DBE6A654463B701B6E3F,SHA256=237BD4432E1589FD6104D1990A2EDDAC73E795FF1BBFA3EF3CB4C37C8AF5A60D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:51.526{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0472CA2FE94A89F287C004397E2D60C0,SHA256=7297EBF5D6D9A09A89E6A1C725556C5A0089B4238B1186A831419229D65B9660,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:51.026{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:51.026{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000037038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:52.648{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4B83B0235A21CEACC436DE975ECE6E0,SHA256=1C9FC9943996159B1639B440958DE2F87C8881EEAC534E08EEBAE28D4C11A506,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:52.611{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5382392A77BF8BEE2297C5F8E80F1A6,SHA256=A78918C692F38964EAA0C083855B74FD6C7F8C61F251BD9CEDC535FE64CC910F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:50.889{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49533-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000037039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:53.725{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9C45B6AD1DC7BFA314976A63220C7ED,SHA256=07D99D9D0FADCFB6A22850673C43360C59BEB2F0E6D8E186BFBF60202BC23EA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:53.611{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6591119C791902315CF76BF9A40BBD68,SHA256=1A0A6DA4A2D8F16B7E2A85DD982EBBE71380B2713FF9F848762262C8EF294DD0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:53.326{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:53.326{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000037040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:54.819{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F8CD4DB9B08EDB0D047E18632A8D026,SHA256=7D8C326F64C680BF8AEDC5B160EFB5C2649144187463DDDCE97014C1CCA36D57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:54.696{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1034ED65AF00B08AF9C3A78651E4058,SHA256=8469D6D0FA54ABFDAB54DF0525FFCA26FF03121C9F82DFDFD06C25AC5A94D1D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:55.900{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8909015265B9400A46927A4752DB34D,SHA256=949C21A9F1288DA6AAA49F771D04405EFCFEFF5778C3480E863D7BA21FA6DD4D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:53.106{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50590-false10.0.1.12-8000- 23542300x800000000000000081094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:55.749{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=623031148B2381F3457DDFD38155F905,SHA256=E25DFE348FAC110E53C2D2B51A5C42C35F788CB3B2E465301EEBAB531FB0AE2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:56.834{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5170D83AE81BF3A0A3C3C7472240A1EC,SHA256=8B7ADF30C58E8DE15F2BDA967F06EE839203CB60E0E4F58638F29BAA7CA07AAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:57.883{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C74CA671D57D2C99224EB68C89F49AFE,SHA256=19E45EE78145922C2171BC023255A64D6D1B9E3B3DFCF447A1358190C762A39E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:57.099{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EF69D18A08EE4FC8988FCCEB703AF33,SHA256=3138B4680A02B0E1CB94F3785A0E6CE09EA2D97666EF85AB2BE2D0D315955E5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:58.933{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E10150DA91AC5F688B7EF7B8D42B407,SHA256=A4570FE6653A62082E88A486A493E87B515817BD98F3216D32B38C7B9C51821A,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000037046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-25 10:03:58.510{72106695-ED08-63D0-1400-00000000BB02}888C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d930a4-0x5782f765) 23542300x800000000000000037045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:58.445{72106695-ED09-63D0-2000-00000000BB02}2008NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=349ADB977F4376626788358F2E494BDB,SHA256=5A585527EFC2DB218528682D4811E1B11CF7CCA20091A2942C1C5BBADB3D3FD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:58.197{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DF706F32D1FBF21AE07A3D39723FBA4,SHA256=786A7D9AF706E805FB27B9E2B137574FB781602585677CC515BC06EA6E89FE67,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:03:56.702{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49534-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000037047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:59.292{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F0543048B9098A761CB3F8711D47993,SHA256=49F830AA9092466F875D4043C8DDD6536DC115E24B82039BD4AA0B3CCDF5335E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:00.993{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1800-00000000BB02}1732C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000037062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:00.990{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1700-00000000BB02}1240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000037061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:00.978{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1600-00000000BB02}1192C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000037060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:00.960{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1500-00000000BB02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000037059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:00.952{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1400-00000000BB02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000037058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:00.940{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1300-00000000BB02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000037057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:00.931{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1200-00000000BB02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000037056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:00.925{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1100-00000000BB02}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000037055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:00.920{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1000-00000000BB02}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000037054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:00.915{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0F00-00000000BB02}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000037053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:00.908{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0E00-00000000BB02}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000037052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:00.903{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0D00-00000000BB02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000037051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:00.893{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000037050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:00.879{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0B00-00000000BB02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000037049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:00.877{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0900-00000000BB02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x800000000000000037048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:00.375{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0DAB8956686ECEFBFA933B7D0FA54D9,SHA256=B31FEBC548A9848F8824B1E4A568DC235A280963A041DB165EBA05742825F349,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:00.996{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1400-00000000BA02}344C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:00.975{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1300-00000000BA02}364C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:00.964{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1200-00000000BA02}408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:00.953{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1100-00000000BA02}704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:00.910{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1000-00000000BA02}444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:00.886{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0F00-00000000BA02}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:00.878{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0E00-00000000BA02}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:00.868{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0D00-00000000BA02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:00.859{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0C00-00000000BA02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:00.807{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:00.803{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0900-00000000BA02}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 23542300x800000000000000081099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:00.063{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=571391C48A617F2A85285675277F7275,SHA256=FA810B75D1540310B1B2EC122285F90F404AEAC8129EA7AF5DF20742363A4E01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:01.908{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B6AC1221A2508A2223B4A91DCF200D6,SHA256=AE4F54B452491DA857D07DFAD392B047E4BFD3B0B200224046CF26E928005E4B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:01.515{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2E00-00000000BA02}2692C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:01.510{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:01.504{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2B00-00000000BA02}2664C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 23542300x800000000000000081122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:01.115{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC3F478EC2598C0CB09E3ABB671E1B74,SHA256=11A48782F974AF1E0C692EAD60FD0E0765F26A158F2A544C16121683241B505E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:01.083{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:01.077{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:01.066{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000037077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:01.032{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FB5F-63D0-3102-00000000BB02}3068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000037076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:01.029{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED83-63D0-8200-00000000BB02}508C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000037075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:01.027{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED1B-63D0-6D00-00000000BB02}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000037074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:01.025{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000037073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:01.024{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-4000-00000000BB02}1980C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000037072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:01.022{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-3C00-00000000BB02}2964C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000037071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:01.021{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2B00-00000000BB02}2876C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000037070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:01.020{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2600-00000000BB02}2596C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000037069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:01.019{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2500-00000000BB02}2436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000037068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:01.016{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2200-00000000BB02}1172C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000037067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:01.012{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000037066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:01.004{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000037065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:01.001{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1C00-00000000BB02}1892C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000037064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:01.000{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1A00-00000000BB02}1856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000081118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:01.056{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2700-00000000BA02}2576C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:01.055{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2600-00000000BA02}2568C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:01.045{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2500-00000000BA02}2484C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:01.041{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED14-63D0-2300-00000000BA02}2340C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:01.039{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1800-00000000BA02}1992C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:01.037{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1700-00000000BA02}1492C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:01.029{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1600-00000000BA02}1324C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:01.007{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1500-00000000BA02}1152C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 354300x800000000000000037079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:03:58.951{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50591-false10.0.1.12-8000- 23542300x800000000000000081126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:02.187{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5407657A310725A6865F8C524F9C4F9,SHA256=A23FDCFBBC87B42EA89BB46617D565B52415D5525DDDB683CB78820AA261E895,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:03.079{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E222E8179F1FD250A04D808D340EBFD,SHA256=070B91209754E786CFE6298ED19F9EEBAE0FA8434B807CE0A017997EEBC838C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:01.754{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49535-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000081130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:03.543{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3300-00000000BA02}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:03.541{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3100-00000000BA02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:03.538{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2F00-00000000BA02}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 23542300x800000000000000081127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:03.254{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D69DF2713FC95E2BE39177FE16CADA57,SHA256=1A2AAA17E129B10B4471E3A5DDB00CA67557445E16EE3D53B616D8A08C46CD42,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:04.392{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:04.384{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE59-63D0-D803-00000000BA02}8160C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:04.380{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE39-63D0-D003-00000000BA02}4868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:04.375{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE36-63D0-CF03-00000000BA02}6108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:04.360{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE36-63D0-CE03-00000000BA02}3640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:04.353{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99E-63D0-4403-00000000BA02}4716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:04.348{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4303-00000000BA02}220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:04.344{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F993-63D0-3A03-00000000BA02}5848C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:04.340{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3403-00000000BA02}8152C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 23542300x800000000000000081153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:04.340{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F09DF444C4329D561F87561B1429D25,SHA256=E11019C3A973C45E652145F23CB1CBA38F1CBD01BB90BC339942C6F4AD9F755D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:04.336{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3303-00000000BA02}5868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:04.334{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3203-00000000BA02}1380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:04.321{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3103-00000000BA02}7700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:04.277{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 23542300x800000000000000037081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:04.181{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D1FDA2AE8C373196A2271426D61BA35,SHA256=9910C9948492A9C9C551334184878F4F9832A4511DD76A1BA11E87265C6D60A9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:04.237{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:04.234{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A202-00000000BA02}5720C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:04.232{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A102-00000000BA02}7492C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:04.219{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F3FF-63D0-5202-00000000BA02}7716C:\Program Files\Process Hacker 2\ProcessHacker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:04.210{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED93-63D0-C200-00000000BA02}5684C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:04.180{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:04.163{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:04.107{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:04.097{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-8E00-00000000BA02}432C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:04.080{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4D-63D0-8900-00000000BA02}4888C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:04.072{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED36-63D0-8100-00000000BA02}4176C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:04.068{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED35-63D0-7F00-00000000BA02}3432C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:04.065{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED2C-63D0-7B00-00000000BA02}532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:04.061{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:04.060{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1B-63D0-4500-00000000BA02}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:04.057{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-4100-00000000BA02}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:04.056{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-3800-00000000BA02}3276C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 23542300x800000000000000081163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:05.311{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DC614CDCE1E1B5E17268CA3CC08C9AF,SHA256=CA2F6A11888203D5C768ABE1C8C924BFE06028F2AA58E0ABEE9504ABE5E2E448,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:05.278{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1E4F2EBAC08E23606AFED144637C23D,SHA256=1B24BF57F25FF4B40B93130C631FCBB8CF44DB561ADBBA888C8D120EDA44FA36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:06.392{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=769670A2DACD733694C62A72D40FE65E,SHA256=612A4B76B2DA8EFCCA1FDB22BD1E2AFD4766164EC1B3EA122E657AC2AF8B9652,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:06.587{72106695-ED09-63D0-1C00-00000000BB02}1892NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\respondent-20230125084915-072MD5=4A845FE96E1CB901D2D7264E475C5D0A,SHA256=805658FE4E43678F2368D193C16F752D5AE58460E17C63B3F32526AFB5DF27A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:06.372{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1D062CB5B77879225FDB171A89D2DD6,SHA256=646E4C4F2B588A5BE22014416C412D7C50485B2DD23F0D296CCB14A23D2579B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:07.475{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EDD872B5BC5855450E30EE205627413,SHA256=D8F217B6591EA211CF5B12E3F3C5B6C43E884F7B6898F7B9B3CDAFFF09460471,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:07.595{72106695-ED09-63D0-1C00-00000000BB02}1892NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\surveyor-20230125084913-073MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:07.463{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3B1C95D51F3773B06A90E7B8F7A89A9,SHA256=FD532ECA16F4A2D8FF49993904CC0208B813CF57201149A9DBCD681D73EB7281,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:08.546{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=971DC54138855B5BE57A8570816A86B6,SHA256=10391105E44934814DF1164DFEC2D343B17757B94145796073BF6B54E9AD9E89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:08.533{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAB25AAF243D2D9D377F84CE31FDC22A,SHA256=989886E5CF5A3731916B8694F6EE6A91AD236EC6041E9FF49460EAF2885AE163,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:04.984{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50592-false10.0.1.12-8000- 354300x800000000000000081168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:07.677{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49536-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000081167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:09.595{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7278DE581C14F852569D3B5D7FCE534F,SHA256=21D94ADE1801F5A17737369C057FB3AFD151B5955B40051B4AE61147315D11F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:09.619{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EE59A7B82DF9F51599E1A2957F32324,SHA256=CA889D7A7AA5A874D0F7CE3689201C323BA687C38D72302DC8CFE98B0B93E956,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:10.664{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9104C8F63C8B3461326C8D7B46B4781F,SHA256=6B02F9234CF637254BD68809E8EA427F5811CD582404FF9F391B76DAFA450573,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:10.716{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9B8447C4B0FEA23E904E6A658CA02DC,SHA256=F2E83ED50B1FECF67AF23AEA84879FF46E238F8E5DACA812768ECC7548BCF1E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:11.749{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF260D1B52207563EEAA4EADF98CA185,SHA256=0D4534B123A71A0B14E426A32DCB2AB9EBAFF96C70D891A9C4F7510861CB8F81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:11.819{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCEA8DFB2D5EF65B9F5EF89F3753B362,SHA256=8E262778310713E69C6CF078D40B94B9915F5A26FAD403E7B30B4BDF8CB712F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:12.865{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FDF86D4EB97BBBE270FA2DBEC6C0BF2,SHA256=8332AA05D3ADC328BEE780BF443E89485F21E4B9FAE54737CE30AF43CE9B82C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:12.910{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4859DA0BC00D193F056A5D78413AD6D,SHA256=94199A36E21DA23C74DA3B2769A260DFB5AF765073C7121984E95DC710B42625,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:13.966{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F95560CDEBA5932E75674F95B7DFE49B,SHA256=16AB0BBCE13215648EFC26F68D8E327813B8EAC3C442A29BDF8C672686E1A1BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:10.003{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50593-false10.0.1.12-8000- 354300x800000000000000081174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:12.766{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49537-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000081173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:14.652{45AAC21C-ED18-63D0-2C00-00000000BA02}2672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=7D7FB096A524D1EC5657D53310D31392,SHA256=83F07861E759C338884F70EED04E4420A9D81228DADC2680573CE103F5379410,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:14.675{72106695-ED08-63D0-1100-00000000BB02}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=B0904C2FA98F08B56B84DA8D82CB08F6,SHA256=3BDA7CF8F93507F7C463E2D5124BA379648A49DDC63311103876712716D57EFF,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000037095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-25 10:04:14.528{72106695-ED08-63D0-1400-00000000BB02}888C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d930a4-0x610efeb4) 23542300x800000000000000037094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:14.012{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8725A2FA21281C4243CEEA907BED19B,SHA256=E208BA3E2F6730671CACD176C36BE95E59383EF17E99F3FFEEAE5806FB492B99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:15.952{45AAC21C-ED0A-63D0-1100-00000000BA02}704NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=A3DDB63A4295B16DB89F432083A05A2F,SHA256=F1BF53D3D2D7F7F7DA0198D59370FEB7FCB59DFBF70ADC80CDE9D466666320D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:15.055{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF104E13D22C3E644DF29757EE7C85DD,SHA256=2E6F8966C12A74EA6E3273C8EFCA124CDC1FADD72EB649AEF364A01B993C0DFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:15.097{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BF2B1518FC0A46C84D8597F0811C0A8,SHA256=FC424E7B824448005A338094761CE1D98AF30B9CEC6D231EF7C453A808F68C48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:16.137{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=742EA18432B43FB4D0302B39F0ED3D6F,SHA256=5EC4122FAED9B01DC98DFA0D89CE6D2AFDA259260837EA8BE4F4F659FA62C242,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:16.199{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EAA68A0F11417441169F12386DF58C0,SHA256=FFB82145E74A7DC397C2C8557726FE2272F55ACD3FEC4AACA1CBF302A0FE273B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:17.968{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:17.968{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000081178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:17.237{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7066F091DF9A8FABBA31D47A9A9A242F,SHA256=B107321EEF4A79594767356DA3FE64D25989B8434EE44AE1F8F1CDD41274645A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:17.298{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AEE44CEFA7CAB931DBB5110D635EEAA,SHA256=490B20FB8E1E18B92A9B167FB85F65383A35F678B8F4BC3061036FE56D2B2431,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:18.588{45AAC21C-ED18-63D0-2C00-00000000BA02}2672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:18.337{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42F98229C399BD2188A8FCB88C321151,SHA256=78535A26A416ECA64F4FE68983BC18B7584F895761A0E567006058C3E0DD236D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:15.862{72106695-ED0B-63D0-3C00-00000000BB02}2964C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50595-false169.254.169.254-80http 354300x800000000000000037101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:15.080{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50594-false10.0.1.12-8000- 23542300x800000000000000037100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:18.403{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84420C93648C00D8E8F5A862736CB81D,SHA256=4F691FB98AAFEC632AE22AC0751259651A0F12F00B28F1CB045DAE64A14BC444,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:18.203{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49539-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x800000000000000081184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:17.885{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49538-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000081183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:19.407{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9013D0BB62B8C862D1D3560E29FE609E,SHA256=4B2FF8793CD1A97EAC4CAB5C63D46AAADB58F64E48337EE491440BFF9C9703CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:19.498{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91D31FB36FFBD4D7CB5E60097A37E0FD,SHA256=87C28529DAB31AFF6516B9CF8DF1386A04FD248C12314874B9F95E04241BB585,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:20.996{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1200-00000000BA02}408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000081194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:20.983{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1100-00000000BA02}704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000081193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:20.935{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1000-00000000BA02}444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000081192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:20.912{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0F00-00000000BA02}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000081191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:20.894{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0E00-00000000BA02}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000081190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:20.878{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0D00-00000000BA02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000081189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:20.860{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0C00-00000000BA02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000081188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:20.808{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000081187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:20.805{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0900-00000000BA02}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 23542300x800000000000000081186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:20.471{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C056436AE3237A4342FC1898E3A35CAD,SHA256=FB3D0397CA1D63766A9DFBF25D9FE26E0A70D6D4AA766B821CAA9DAD0A9984B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:20.997{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:20.989{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:20.986{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1C00-00000000BB02}1892C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:20.985{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1A00-00000000BB02}1856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:20.979{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1800-00000000BB02}1732C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:20.977{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1700-00000000BB02}1240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:20.967{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1600-00000000BB02}1192C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:20.948{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1500-00000000BB02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:20.942{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1400-00000000BB02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:20.936{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1300-00000000BB02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:20.930{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1200-00000000BB02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:20.924{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1100-00000000BB02}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:20.919{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1000-00000000BB02}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:20.914{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0F00-00000000BB02}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:20.906{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0E00-00000000BB02}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:20.900{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0D00-00000000BB02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:20.896{72106695-ED09-63D0-1F00-00000000BB02}20002852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x800000000000000037106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:20.890{72106695-ED09-63D0-1F00-00000000BB02}20002852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0B00-00000000BB02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 10341000x800000000000000037105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:20.883{72106695-ED09-63D0-1F00-00000000BB02}20002852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0900-00000000BB02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0) 23542300x800000000000000037104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:20.590{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40965038DC4CA0773C6D660365FFBBA7,SHA256=5322610A93D56B1830AF6A83153CDAE86C279C70A3B3CD73316E1166B6CF5000,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:21.804{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:21.804{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:21.640{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2E00-00000000BA02}2692C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000081212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:21.635{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000081211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:21.630{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2B00-00000000BA02}2664C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 23542300x800000000000000081210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:21.503{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEB9006DA329336FC62BCD39C2AD0268,SHA256=D0B2471D500C0D3B3FE74E84DD8F7A51AFD78B06C3481FE87D1BFC319CBFAF6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:21.898{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D18B3CE637AA4DE79BF8D13CE070A78,SHA256=DE8EC3506B8B770DBA893BA1962852980433D0009AC60141F8F3644B3F880F7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:21.352{45AAC21C-ED18-63D0-2F00-00000000BA02}2700NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\respondent-20230125084931-072MD5=FB1204BD5E1FCB9F00F3D30191CDD410,SHA256=AD3DE377B45C073DC7811942D8C17D2EDF88FCE93F4C4FD49345F5808DA79585,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:21.114{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000081207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:21.108{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000081206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:21.100{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000081205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:21.091{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2700-00000000BA02}2576C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000081204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:21.089{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2600-00000000BA02}2568C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000081203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:21.076{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2500-00000000BA02}2484C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000081202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:21.070{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED14-63D0-2300-00000000BA02}2340C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000081201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:21.066{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1800-00000000BA02}1992C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000081200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:21.062{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1700-00000000BA02}1492C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000081199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:21.055{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1600-00000000BA02}1324C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000081198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:21.026{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1500-00000000BA02}1152C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000081197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:21.016{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1400-00000000BA02}344C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000081196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:21.008{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1300-00000000BA02}364C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000037133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:21.017{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FB5F-63D0-3102-00000000BB02}3068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:21.014{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED83-63D0-8200-00000000BB02}508C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:21.012{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED1B-63D0-6D00-00000000BB02}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:21.010{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:21.010{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-4000-00000000BB02}1980C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:21.007{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-3C00-00000000BB02}2964C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:21.006{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2B00-00000000BB02}2876C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:21.005{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2600-00000000BB02}2596C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:21.002{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2500-00000000BB02}2436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:21.000{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2200-00000000BB02}1172C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 23542300x800000000000000081217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:22.588{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44FC9BE312664E3A56AFADC9B4C668E7,SHA256=B15BC1E0871C1730724915EB6E33A83F5EA08E4AEBEEAE6030E85E7A21D8CF3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:22.962{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CF22E82E6B6C44F4678716F59113A8F,SHA256=1CD0AEBF649128B77D6D8A25DD2C811958BB8B5CB99068447CA7A73E7F944106,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:22.358{45AAC21C-ED18-63D0-2F00-00000000BA02}2700NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\surveyor-20230125084929-073MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:23.682{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3300-00000000BA02}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000081220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:23.679{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3100-00000000BA02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000081219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:23.674{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2F00-00000000BA02}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 23542300x800000000000000081218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:23.658{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A09A9D13D9977A245BC8456CEF3D492,SHA256=7D11B598088D32F15A51719A812898AD0CB49EA5996F4C9E57424335C4C93745,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:23.219{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1F00-00000000BB02}2000C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000037139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:21.110{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50596-false10.0.1.12-8000- 10341000x800000000000000037138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:24.224{72106695-ED08-63D0-0D00-00000000BB02}7723960C:\Windows\system32\svchost.exe{72106695-FB5F-63D0-3102-00000000BB02}3068C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000037137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:24.036{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=180D89F7C4DAE78C8DFC2F7436C08B4B,SHA256=8D1B59A44A3ED7B92D1860EE847CABC4115CDB1CD83E8AA48B1A80309B234B19,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:24.518{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000081250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:24.514{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE59-63D0-D803-00000000BA02}8160C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000081249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:24.507{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE39-63D0-D003-00000000BA02}4868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000081248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:24.505{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE36-63D0-CF03-00000000BA02}6108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000081247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:24.499{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE36-63D0-CE03-00000000BA02}3640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000081246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:24.494{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99E-63D0-4403-00000000BA02}4716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000081245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:24.488{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4303-00000000BA02}220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000081244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:24.486{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F993-63D0-3A03-00000000BA02}5848C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000081243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:24.481{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3403-00000000BA02}8152C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000081242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:24.478{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3303-00000000BA02}5868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000081241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:24.475{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3203-00000000BA02}1380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000081240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:24.465{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3103-00000000BA02}7700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000081239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:24.424{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000081238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:24.396{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000081237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:24.393{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A202-00000000BA02}5720C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000081236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:24.390{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A102-00000000BA02}7492C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000081235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:24.382{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F3FF-63D0-5202-00000000BA02}7716C:\Program Files\Process Hacker 2\ProcessHacker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000081234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:24.378{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED93-63D0-C200-00000000BA02}5684C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000081233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:24.332{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000081232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:24.306{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000081231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:24.254{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000081230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:24.242{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-8E00-00000000BA02}432C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000081229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:24.226{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4D-63D0-8900-00000000BA02}4888C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000081228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:24.219{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED36-63D0-8100-00000000BA02}4176C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000081227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:24.216{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED35-63D0-7F00-00000000BA02}3432C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000081226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:24.210{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED2C-63D0-7B00-00000000BA02}532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000081225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:24.204{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000081224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:24.202{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1B-63D0-4500-00000000BA02}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000081223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:24.199{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-4100-00000000BA02}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000081222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:24.198{45AAC21C-ED5C-63D0-A400-00000000BA02}53206644C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-3800-00000000BA02}3276C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 23542300x800000000000000037140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:25.117{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E3909084047CFD1773CC940B113A950,SHA256=7E6376D3CF5EC427612F817CC09A78B3C455796B59FFAE4D8CCDA082D896B3CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:25.911{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8721A01D42BB4B92462305EFB8366845,SHA256=D0228463D37A3E81302F075569398FBD55FE07300BFA30758110019809295D22,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:23.758{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49540-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000081252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:25.147{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A64084E28DB9F59D716656F80D5B2466,SHA256=D3820010D4162773D63E70CF033A0FFF34A0588C4D59D896B09FFDE15F1BCADB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:26.929{72106695-ED09-63D0-1F00-00000000BB02}20002816C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FEAA-63D0-9502-00000000BB02}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D383D0) 10341000x800000000000000037171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:26.928{72106695-ED09-63D0-1F00-00000000BB02}20002816C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FEAA-63D0-9502-00000000BB02}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D383D0) 10341000x800000000000000037170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:26.928{72106695-ED09-63D0-1F00-00000000BB02}20002816C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FEAA-63D0-9502-00000000BB02}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D383D0) 23542300x800000000000000037169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:26.885{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=6CFA36CF96C559B98A3A017A614FB743,SHA256=7BE74E716C0ECC01B6EFEA7FC602BDA929F2CC355C56AFFF22BA2DBAC69B793B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:26.808{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FEAA-63D0-9502-00000000BB02}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:26.808{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:26.808{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:26.808{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:26.808{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:26.808{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:26.808{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:26.808{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:26.808{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:26.808{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:26.808{72106695-ED07-63D0-0500-00000000BB02}408424C:\Windows\system32\csrss.exe{72106695-FEAA-63D0-9502-00000000BB02}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:26.808{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FEAA-63D0-9502-00000000BB02}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:26.809{72106695-FEAA-63D0-9502-00000000BB02}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000037155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:26.362{72106695-ED09-63D0-2000-00000000BB02}2008NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:26.315{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FEAA-63D0-9402-00000000BB02}2752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:26.315{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:26.315{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:26.315{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:26.315{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:26.315{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:26.315{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:26.315{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:26.315{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:26.315{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:26.315{72106695-ED07-63D0-0500-00000000BB02}408524C:\Windows\system32\csrss.exe{72106695-FEAA-63D0-9402-00000000BB02}2752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:26.315{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FEAA-63D0-9402-00000000BB02}2752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:26.315{72106695-FEAA-63D0-9402-00000000BB02}2752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000037141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:26.205{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F536FA7BEB586B50EFCD032D06F3282,SHA256=B602791EB3C4B969D3A2AAA9B0DE54929FB71309BD0FB4C6C9D90B7D0F5449A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:26.162{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44E2C6F669F41E0ADE61CE41473C6573,SHA256=F3AE13E9F9C89FE93E27ED877D924B5832DA5ACA83E1B242791B4290F82DB59A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:27.622{72106695-ED09-63D0-2000-00000000BB02}2008NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=B3063E6B44107A3632D82F40A35ABB05,SHA256=9758A22726BEBCF28F2E27B9810BAC814AB8EDA15BB06C51FE114662011DF261,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:27.497{72106695-FEAB-63D0-9602-00000000BB02}2808432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000037187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:27.416{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0EC34B6E7FF9C54897934370BF9F3664,SHA256=AD0D08BDF51FF200CB10E2538A0E57C73E8920901A321BC5E11165B6F3B7CFEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:27.338{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FEAB-63D0-9602-00000000BB02}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:27.338{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:27.338{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:27.338{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:27.338{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:27.338{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:27.338{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:27.338{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:27.338{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:27.338{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:27.338{72106695-ED07-63D0-0500-00000000BB02}408524C:\Windows\system32\csrss.exe{72106695-FEAB-63D0-9602-00000000BB02}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:27.338{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FEAB-63D0-9602-00000000BB02}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:27.340{72106695-FEAB-63D0-9602-00000000BB02}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000037173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:27.338{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB13FB07178B96D51FAB89A7DF916380,SHA256=249A18CAFE4BB9983531582B3332B91AC36926D262097ADD2292F8E151D81622,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:27.247{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE27312FCAE4ABEBB5B2B7FF91785A87,SHA256=807A3346EF7DF29478F241DE94ACE38D8DAFBA84648B7D119A7E12BB430AC62E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:28.767{72106695-FEAC-63D0-9702-00000000BB02}35362772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:28.580{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FEAC-63D0-9702-00000000BB02}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:28.580{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:28.580{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:28.580{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:28.580{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:28.580{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:28.580{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:28.580{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:28.580{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:28.580{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:28.580{72106695-ED07-63D0-0500-00000000BB02}408424C:\Windows\system32\csrss.exe{72106695-FEAC-63D0-9702-00000000BB02}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:28.580{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FEAC-63D0-9702-00000000BB02}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:28.580{72106695-FEAC-63D0-9702-00000000BB02}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000037191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:28.517{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B42796BE3D9AEE01B643937978B972C2,SHA256=CDE36CCAB8D427674E5C91E135CDEE706413745C4CE875128BB0CCC4562F20B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:25.243{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50597-false10.0.1.12-8089- 23542300x800000000000000081294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:28.380{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86A09AAC60C93D34AD943C3C3E6AB7DC,SHA256=F045683A2EDB8889014DBA68C43767234FC5FF083D4060B6A32CBD2CBD5273F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:28.064{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:28.064{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:28.064{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:28.064{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:28.064{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:28.064{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:28.064{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:28.064{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:28.064{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:28.064{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:28.064{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:28.064{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:28.064{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:28.064{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:28.064{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:28.064{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:28.064{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:28.064{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:28.064{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:28.064{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:28.064{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:28.064{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:28.064{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:28.064{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:28.064{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:28.064{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:28.064{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:28.064{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:28.064{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:28.064{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:28.064{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:28.064{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:28.064{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:28.064{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:28.064{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:28.064{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED0A-63D0-1200-00000000BA02}408C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:28.064{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED0A-63D0-1200-00000000BA02}408C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000037206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:29.610{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6EAA055A7A67167C8A3DD43BEE9A739,SHA256=8C65798B665111558D5F371B7EBE3ED3581B420B75176D0CF5E8935768B8FCAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:29.414{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86FA1997AFADCBFFDF45FB5093D1FFB0,SHA256=FF5C5D478FC3AAA0EC9A811DB3B0CF8D6B864E6DA70C0554F4C17D8B26CB1551,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:30.897{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABDF585D333054EEC7A1A83746488EE0,SHA256=5CE1E3C18BFFD8B4D36A97FCC1899EAB9C5BA4C9D2788B62E94885485DA6AE5D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:30.767{72106695-FEAE-63D0-9902-00000000BB02}1144788C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000081300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:28.797{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49541-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000081299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:30.597{45AAC21C-ED4E-63D0-9300-00000000BA02}1336888C:\Windows\Explorer.EXE{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+7d960|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF801D850B2A8)|UNKNOWN(FFFFC72308993998)|UNKNOWN(FFFFC72308993B17)|UNKNOWN(FFFFC7230898E1A1)|UNKNOWN(FFFFC7230898FB6A)|UNKNOWN(FFFFC7230898DE26)|UNKNOWN(FFFFF801D817FC03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+811bb|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd 10341000x800000000000000081298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:30.597{45AAC21C-ED4E-63D0-9300-00000000BA02}1336888C:\Windows\Explorer.EXE{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7d441|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF801D850B2A8)|UNKNOWN(FFFFC72308993998)|UNKNOWN(FFFFC72308993B17)|UNKNOWN(FFFFC7230898E1A1)|UNKNOWN(FFFFC7230898FB6A)|UNKNOWN(FFFFC7230898DE26)|UNKNOWN(FFFFF801D817FC03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+811bb|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000081297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:30.597{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF44fbf9.TMPMD5=F313933CBB8EAD2E2CCBEB1E1DF6F375,SHA256=6D0F7A46D6E52C1FCCFC8E3626F5E4DE92F7177E71B87C44F7DD43BA22971D80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:30.515{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=973AF5270E6D7634C82EECB32C16AA6F,SHA256=AABABBF18E9680E5245116EBFAE118C060A9E1A636B5B5DBF44616EB1237BA05,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:30.579{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FEAE-63D0-9902-00000000BB02}1144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:30.579{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:30.579{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:30.579{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:30.579{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:30.579{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:30.579{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:30.579{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:30.579{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:30.579{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:30.579{72106695-ED07-63D0-0500-00000000BB02}408524C:\Windows\system32\csrss.exe{72106695-FEAE-63D0-9902-00000000BB02}1144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:30.579{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FEAE-63D0-9902-00000000BB02}1144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:30.580{72106695-FEAE-63D0-9902-00000000BB02}1144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000037221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:26.972{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50598-false10.0.1.12-8000- 10341000x800000000000000037220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:30.284{72106695-FEAE-63D0-9802-00000000BB02}26204056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:30.081{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FEAE-63D0-9802-00000000BB02}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:30.081{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:30.081{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:30.081{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:30.081{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:30.081{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:30.081{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:30.081{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:30.081{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:30.081{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:30.081{72106695-ED07-63D0-0500-00000000BB02}408424C:\Windows\system32\csrss.exe{72106695-FEAE-63D0-9802-00000000BB02}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:30.081{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FEAE-63D0-9802-00000000BB02}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:30.081{72106695-FEAE-63D0-9802-00000000BB02}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000037237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:31.802{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAC846477D7B4E31C4BF0083BC080CC9,SHA256=90C15A6F4D7311B06DA738D12C3DF8C6D8A4EE1A2FB8EC384AD08CFC02447AAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:31.616{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF5F6EB32B701E715FC16AA5EA2B7740,SHA256=F08BBA3214BB66FC2DE4B7E6D16BDFCA9DE27F49B8684F5957E78C729210DDAC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:32.952{72106695-ED09-63D0-1F00-00000000BB02}20002816C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FEB0-63D0-9A02-00000000BB02}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D383D0) 10341000x800000000000000037253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:32.952{72106695-ED09-63D0-1F00-00000000BB02}20002816C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FEB0-63D0-9A02-00000000BB02}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D383D0) 10341000x800000000000000037252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:32.952{72106695-ED09-63D0-1F00-00000000BB02}20002816C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FEB0-63D0-9A02-00000000BB02}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D383D0) 10341000x800000000000000037251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:32.918{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FEB0-63D0-9A02-00000000BB02}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:32.918{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:32.918{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:32.918{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:32.918{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:32.918{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:32.918{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:32.918{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:32.918{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:32.918{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:32.918{72106695-ED07-63D0-0500-00000000BB02}4082644C:\Windows\system32\csrss.exe{72106695-FEB0-63D0-9A02-00000000BB02}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:32.918{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FEB0-63D0-9A02-00000000BB02}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:32.919{72106695-FEB0-63D0-9A02-00000000BB02}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000037238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:32.902{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2DB486362E20D80A64738E09DADDFE5,SHA256=A1D5E5534C4960D5D2F24B0EB9F61D136D75B8369DDD3DF704D7BEA7C6372BA7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:31.305{45AAC21C-ED1A-63D0-4100-00000000BA02}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49542-false169.254.169.254-80http 23542300x800000000000000081302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:32.717{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88D605D00E4471821612532329FDE4D5,SHA256=B64FAC201188B9456DD8997435C342A89B83E934A971D533221A55816122002F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:33.818{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39F204B77A86758A242E0EFEB3CCDBC5,SHA256=0B22982F72444E672F18E8BBBAF7C6859731E104B3E3BE9B4A26D3D094F145F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:34.901{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29FEFAF02FB1D408D943ECB279C33CC0,SHA256=1B8BCE9E9B0A0DF52DFB3A1D2B9099C82F033F77C23E7DABFB90A601E3D62B42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:34.019{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33E44FBFE51563111C33ED3538C5A349,SHA256=C25A273EEB5EBA8B51AF5F2955698EE2175B77BD15A62C2E6741EDDE0BBDDC45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:34.019{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB8492763ED09CA34EE93917941BD190,SHA256=F8B85242F318D15E94D6963FAFCC95E8677003642D82E5B6107C74CFA7C17669,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:35.971{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26CA2D332C068358D3013C7EA155E6EC,SHA256=0F650A099482E59A58FEC5A7C97DE31C5C2EB45B0361C555F7590513F943329F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:32.005{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50599-false10.0.1.12-8000- 23542300x800000000000000037257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:35.117{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0135D95324890CDBCFE264C1BD3B492,SHA256=BECDE1C6196776DEF1910448A92F177B8FEC658882B39EBC22B4083F2AD22AAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:36.223{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DC20170AF52DE2528AE53A2F49A4EAA,SHA256=7CCB1E7CB9A452E9E8ADF301EBE232ED770CD9EA0B60392607957B6CCF7626AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:37.312{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67B9172933A67E0002C1EDFF9693FEC9,SHA256=718AD8B472398B6596E714609DD1A2127BAD468205886F54EBDAB920E630E81B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:34.768{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49543-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000081307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:37.041{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D83DA274688388095C589EA6961C80F,SHA256=4B475B114890B6B823996EE8AA37E5A92250F70DDDF92F8FDFDD31192D3D8A8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:38.415{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=909677DFC17D48DA58D4FAC7D928F6C9,SHA256=7419C7D9BEB81DE3046C9BC109FA5ED95A710CF9BE0E3A4637420EC65629E232,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:38.123{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E466E13E94528E6E0E548FFF59EE1E0,SHA256=36D31A1B8B1B9E0304DBAE1D20277F8A1075E46409505EBB7D34865219132A80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:39.519{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3D1E6961F22B37A4521AF100564926C,SHA256=D0FBC577D84FB059E8AA9E2BBB95B35143F28B50ED9F9FE710E2F419566DF673,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:39.243{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F0A20DF3A70B931BE2E8BADAFF3B723,SHA256=56B5535A782FD85EDCD3C88E6105AC2FF089EDF23340BE517B50ECC230A0F015,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:40.995{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1600-00000000BB02}1192C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:40.971{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1500-00000000BB02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:40.962{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1400-00000000BB02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:40.956{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1300-00000000BB02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:40.949{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1200-00000000BB02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:40.937{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1100-00000000BB02}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:40.929{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1000-00000000BB02}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:40.924{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0F00-00000000BB02}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:40.917{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0E00-00000000BB02}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:40.911{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0D00-00000000BB02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:40.903{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:40.891{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0B00-00000000BB02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:40.888{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0900-00000000BB02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 354300x800000000000000037264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:37.908{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50600-false10.0.1.12-8000- 23542300x800000000000000037263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:40.604{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E95322FBFFD98954087515543905B45,SHA256=18D472D01D6CE5334BF943FBD98C3A92E0112C2F1506DFD5964A8890815CB563,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:40.996{45AAC21C-ED5C-63D0-A400-00000000BA02}53206496C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1100-00000000BA02}704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019FECA90) 10341000x800000000000000081319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:40.965{45AAC21C-ED5C-63D0-A400-00000000BA02}53206496C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1000-00000000BA02}444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019FECA90) 10341000x800000000000000081318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:40.940{45AAC21C-ED5C-63D0-A400-00000000BA02}53206496C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0F00-00000000BA02}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019FECA90) 10341000x800000000000000081317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:40.916{45AAC21C-ED5C-63D0-A400-00000000BA02}53206496C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0E00-00000000BA02}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019FECA90) 10341000x800000000000000081316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:40.905{45AAC21C-ED5C-63D0-A400-00000000BA02}53206496C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0D00-00000000BA02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019FECA90) 10341000x800000000000000081315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:40.883{45AAC21C-ED5C-63D0-A400-00000000BA02}53206496C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0C00-00000000BA02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019FECA90) 10341000x800000000000000081314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:40.821{45AAC21C-ED5C-63D0-A400-00000000BA02}53205468C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838F10) 10341000x800000000000000081313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:40.816{45AAC21C-ED5C-63D0-A400-00000000BA02}53205468C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0900-00000000BA02}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838F10) 23542300x800000000000000081312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:40.345{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACE0BE46B217AF67AF75711392EE4EC0,SHA256=45DCEF86ED9B9A4DEC83246BBFA4FCEF56ADBEAF7F2F4656171147489D5A700A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:40.317{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ilosieif.default-release\datareporting\glean\db\data.safe.binMD5=63F5E2C4A14C8742E152E1D67B36D493,SHA256=29554C06B216DF8EF0B3D19BCA1B16587364E98DDAE9A57070D3E1BE0595F8EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:41.854{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD3C01038E70ED51ED287E491C820A11,SHA256=0E344374F09DB84D5C040BDEA84EB466E49696F8992328668DACA48D49DBCAAD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:41.658{45AAC21C-ED5C-63D0-A400-00000000BA02}53206496C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2E00-00000000BA02}2692C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019FECA90) 10341000x800000000000000081337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:41.652{45AAC21C-ED5C-63D0-A400-00000000BA02}53206496C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019FECA90) 10341000x800000000000000081336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:41.648{45AAC21C-ED5C-63D0-A400-00000000BA02}53206496C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2B00-00000000BA02}2664C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019FECA90) 23542300x800000000000000081335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:41.393{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D0C525456CD15A1725D5BDB48B572FC,SHA256=91F0705DE8D798709C7C2DBCE84BB8A2DB485150750D3E42BD537028C20324B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:41.067{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FB5F-63D0-3102-00000000BB02}3068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:41.064{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED83-63D0-8200-00000000BB02}508C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:41.060{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED1B-63D0-6D00-00000000BB02}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:41.056{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:41.056{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-4000-00000000BB02}1980C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:41.052{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-3C00-00000000BB02}2964C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:41.050{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2B00-00000000BB02}2876C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:41.049{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2600-00000000BB02}2596C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:41.044{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2500-00000000BB02}2436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:41.040{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2200-00000000BB02}1172C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:41.028{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:41.017{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:41.015{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1C00-00000000BB02}1892C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:41.013{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1A00-00000000BB02}1856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:41.007{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1800-00000000BB02}1732C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:41.005{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1700-00000000BB02}1240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000081334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:41.162{45AAC21C-ED5C-63D0-A400-00000000BA02}53206496C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019FECA90) 10341000x800000000000000081333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:41.155{45AAC21C-ED5C-63D0-A400-00000000BA02}53206496C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019FECA90) 10341000x800000000000000081332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:41.149{45AAC21C-ED5C-63D0-A400-00000000BA02}53206496C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019FECA90) 10341000x800000000000000081331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:41.138{45AAC21C-ED5C-63D0-A400-00000000BA02}53206496C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2700-00000000BA02}2576C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019FECA90) 10341000x800000000000000081330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:41.134{45AAC21C-ED5C-63D0-A400-00000000BA02}53206496C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2600-00000000BA02}2568C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019FECA90) 10341000x800000000000000081329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:41.113{45AAC21C-ED5C-63D0-A400-00000000BA02}53206496C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2500-00000000BA02}2484C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019FECA90) 10341000x800000000000000081328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:41.108{45AAC21C-ED5C-63D0-A400-00000000BA02}53206496C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED14-63D0-2300-00000000BA02}2340C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019FECA90) 10341000x800000000000000081327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:41.099{45AAC21C-ED5C-63D0-A400-00000000BA02}53206496C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1800-00000000BA02}1992C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019FECA90) 10341000x800000000000000081326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:41.088{45AAC21C-ED5C-63D0-A400-00000000BA02}53206496C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1700-00000000BA02}1492C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019FECA90) 10341000x800000000000000081325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:41.077{45AAC21C-ED5C-63D0-A400-00000000BA02}53206496C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1600-00000000BA02}1324C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019FECA90) 10341000x800000000000000081324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:41.058{45AAC21C-ED5C-63D0-A400-00000000BA02}53206496C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1500-00000000BA02}1152C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019FECA90) 10341000x800000000000000081323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:41.046{45AAC21C-ED5C-63D0-A400-00000000BA02}53206496C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1400-00000000BA02}344C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019FECA90) 10341000x800000000000000081322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:41.031{45AAC21C-ED5C-63D0-A400-00000000BA02}53206496C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1300-00000000BA02}364C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019FECA90) 10341000x800000000000000081321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:41.006{45AAC21C-ED5C-63D0-A400-00000000BA02}53206496C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1200-00000000BA02}408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019FECA90) 23542300x800000000000000037295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:42.901{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03C425385FD870623B0B0B4527C975DB,SHA256=60C808A1DEC2FCF6183A53F5F3BD509D04212F9BFC5EC1DDF451D43E34A9ABA0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:42.762{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FEBA-63D0-E103-00000000BA02}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:42.762{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:42.762{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:42.762{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:42.762{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:42.762{45AAC21C-ED08-63D0-0500-00000000BA02}420780C:\Windows\system32\csrss.exe{45AAC21C-FEBA-63D0-E103-00000000BA02}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000081341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:42.762{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FEBA-63D0-E103-00000000BA02}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000081340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:42.763{45AAC21C-FEBA-63D0-E103-00000000BA02}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:42.462{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ADC305A7EDF56C50196A16259795A24,SHA256=38A8AFBAE1B625F2A77972F21BCBEFEFBA7881F243EA735199CD026143F21A35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:43.990{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B98C5FA80807B9106979EE4ACD95A2D8,SHA256=C9EE0F2BCE0B5FD2F88DA8B51F9F1BFE76BA342086DB1FF3F0D3438F684DB5DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:43.846{45AAC21C-ED18-63D0-2C00-00000000BA02}2672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=5610DC8C265C56E0A890301B1A1ABFF5,SHA256=1E0BC3C9687B63BC47BF0A453DC417540A78D52B387A194BABB2EED21C9D45D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:43.795{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4AA862A747793308863E91C1B033F253,SHA256=7561C8CD4A30D68C2FB65D5CA64CEB83A984595DD9E39652A2C0F8FE84C72F4B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:43.684{45AAC21C-ED5C-63D0-A400-00000000BA02}53206496C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3300-00000000BA02}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019FECA90) 10341000x800000000000000081364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:43.683{45AAC21C-ED5C-63D0-A400-00000000BA02}53206496C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3100-00000000BA02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019FECA90) 10341000x800000000000000081363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:43.680{45AAC21C-ED5C-63D0-A400-00000000BA02}53206496C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2F00-00000000BA02}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019FECA90) 10341000x800000000000000081362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:43.640{45AAC21C-FEBB-63D0-E203-00000000BA02}72726468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:43.623{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:43.622{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:43.622{45AAC21C-ED08-63D0-0B00-00000000BA02}636308C:\Windows\system32\lsass.exe{45AAC21C-ED0A-63D0-1000-00000000BA02}444C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:43.605{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED5C-63D0-A400-00000000BA02}5320C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000081357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:43.539{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3081F54A7404D0ECEC32FFDF5D6E68E3,SHA256=13CED09D17DB4D528DC7618AF46ACD1D2DE263EA01986340EA77BAD4E09ED746,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:43.430{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FEBB-63D0-E203-00000000BA02}7272C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:43.430{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:43.430{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:43.430{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:43.429{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:43.429{45AAC21C-ED08-63D0-0500-00000000BA02}420780C:\Windows\system32\csrss.exe{45AAC21C-FEBB-63D0-E203-00000000BA02}7272C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000081350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:43.429{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FEBB-63D0-E203-00000000BA02}7272C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000081349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:43.428{45AAC21C-FEBB-63D0-E203-00000000BA02}7272C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000081348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:40.708{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49544-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000081408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:44.932{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2374BADF3E20BBABE88F37B219A58C38,SHA256=2B7ECBD4F1FC1F42B5A410CB69B9EFF215ADECC5AACC6AE117C7589509C4D7DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:44.930{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2751043D5A21101C8C93883FC2A4E2F,SHA256=6019CB4DD54C2E299178AD0829F8DBDC956FA96A66FACEC88AB7BC86C22F9746,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:44.456{45AAC21C-ED5C-63D0-A400-00000000BA02}53206496C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019FECA90) 10341000x800000000000000081405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:44.448{45AAC21C-ED5C-63D0-A400-00000000BA02}53206496C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE59-63D0-D803-00000000BA02}8160C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019FECA90) 10341000x800000000000000081404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:44.444{45AAC21C-ED5C-63D0-A400-00000000BA02}53206496C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE39-63D0-D003-00000000BA02}4868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019FECA90) 10341000x800000000000000081403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:44.440{45AAC21C-ED5C-63D0-A400-00000000BA02}53206496C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE36-63D0-CF03-00000000BA02}6108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019FECA90) 10341000x800000000000000081402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:44.435{45AAC21C-ED5C-63D0-A400-00000000BA02}53206496C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE36-63D0-CE03-00000000BA02}3640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019FECA90) 10341000x800000000000000081401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:44.433{45AAC21C-ED5C-63D0-A400-00000000BA02}53206496C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99E-63D0-4403-00000000BA02}4716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019FECA90) 23542300x800000000000000081400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:44.430{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=80F48A3AA31B6127582A2B5C47B87114,SHA256=261465E892D3A3A4993CA5A6DDB7E791D7139D4398654D2675E60873821E82EA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:44.429{45AAC21C-ED5C-63D0-A400-00000000BA02}53206496C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4303-00000000BA02}220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019FECA90) 10341000x800000000000000081398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:44.427{45AAC21C-ED5C-63D0-A400-00000000BA02}53206496C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F993-63D0-3A03-00000000BA02}5848C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019FECA90) 10341000x800000000000000081397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:44.423{45AAC21C-ED5C-63D0-A400-00000000BA02}53206496C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3403-00000000BA02}8152C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019FECA90) 10341000x800000000000000081396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:44.417{45AAC21C-ED5C-63D0-A400-00000000BA02}53206496C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3303-00000000BA02}5868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019FECA90) 10341000x800000000000000081395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:44.412{45AAC21C-ED5C-63D0-A400-00000000BA02}53206496C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3203-00000000BA02}1380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019FECA90) 10341000x800000000000000081394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:44.400{45AAC21C-ED5C-63D0-A400-00000000BA02}53206496C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3103-00000000BA02}7700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019FECA90) 10341000x800000000000000081393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:44.379{45AAC21C-ED5C-63D0-A400-00000000BA02}53206496C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019FECA90) 10341000x800000000000000081392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:44.344{45AAC21C-ED5C-63D0-A400-00000000BA02}53206496C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019FECA90) 10341000x800000000000000081391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:44.343{45AAC21C-ED5C-63D0-A400-00000000BA02}53206496C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A202-00000000BA02}5720C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019FECA90) 10341000x800000000000000081390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:44.340{45AAC21C-ED5C-63D0-A400-00000000BA02}53206496C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A102-00000000BA02}7492C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019FECA90) 10341000x800000000000000081389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:44.336{45AAC21C-ED5C-63D0-A400-00000000BA02}53206496C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F3FF-63D0-5202-00000000BA02}7716C:\Program Files\Process Hacker 2\ProcessHacker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019FECA90) 10341000x800000000000000081388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:44.332{45AAC21C-ED5C-63D0-A400-00000000BA02}53206496C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED93-63D0-C200-00000000BA02}5684C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019FECA90) 10341000x800000000000000081387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:44.300{45AAC21C-ED5C-63D0-A400-00000000BA02}53206496C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019FECA90) 10341000x800000000000000081386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:44.277{45AAC21C-ED5C-63D0-A400-00000000BA02}53206496C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019FECA90) 10341000x800000000000000081385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:44.236{45AAC21C-ED5C-63D0-A400-00000000BA02}53206496C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019FECA90) 10341000x800000000000000081384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:44.229{45AAC21C-ED5C-63D0-A400-00000000BA02}53206496C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-8E00-00000000BA02}432C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019FECA90) 10341000x800000000000000081383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:44.217{45AAC21C-ED5C-63D0-A400-00000000BA02}53206496C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4D-63D0-8900-00000000BA02}4888C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019FECA90) 10341000x800000000000000081382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:44.212{45AAC21C-ED5C-63D0-A400-00000000BA02}53206496C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED36-63D0-8100-00000000BA02}4176C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019FECA90) 10341000x800000000000000081381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:44.209{45AAC21C-ED5C-63D0-A400-00000000BA02}53206496C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED35-63D0-7F00-00000000BA02}3432C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019FECA90) 10341000x800000000000000081380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:44.206{45AAC21C-ED5C-63D0-A400-00000000BA02}53206496C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED2C-63D0-7B00-00000000BA02}532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019FECA90) 10341000x800000000000000081379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:44.201{45AAC21C-ED5C-63D0-A400-00000000BA02}53206496C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019FECA90) 10341000x800000000000000081378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:44.200{45AAC21C-ED5C-63D0-A400-00000000BA02}53206496C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1B-63D0-4500-00000000BA02}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019FECA90) 10341000x800000000000000081377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:44.198{45AAC21C-ED5C-63D0-A400-00000000BA02}53206496C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-4100-00000000BA02}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019FECA90) 10341000x800000000000000081376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:44.196{45AAC21C-ED5C-63D0-A400-00000000BA02}53206496C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-3800-00000000BA02}3276C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019FECA90) 10341000x800000000000000081375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:44.110{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FEBC-63D0-E303-00000000BA02}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:44.110{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:44.110{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:44.110{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:44.110{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:44.110{45AAC21C-ED08-63D0-0500-00000000BA02}420780C:\Windows\system32\csrss.exe{45AAC21C-FEBC-63D0-E303-00000000BA02}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000081369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:44.110{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FEBC-63D0-E303-00000000BA02}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000081368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:44.111{45AAC21C-FEBC-63D0-E303-00000000BA02}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:45.981{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B18808A42DBA3B17F33E8EFAB85BCA8,SHA256=BBD61BF4A3E5B3CC29F29DDBD48CE2E7C143CA225B6CA8731C486FEEB7575249,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:43.027{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50601-false10.0.1.12-8000- 23542300x800000000000000037297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:45.082{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42BF00FB9BF594211E8EA4D2308124ED,SHA256=054E328CD6BB8FC609967A15E82A52434C624BAD420DE5B956D772266F9373F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:46.156{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E500C615A18DE0845C6088FEDFCB47E6,SHA256=C13BC7126986B12B4EBC9ADA7C38A7B2CE61EF628C9A3B58B012859C3218A87D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:46.434{45AAC21C-FEBE-63D0-E403-00000000BA02}74286688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:46.404{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FEBE-63D0-E403-00000000BA02}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000081424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:46.404{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FEBE-63D0-E403-00000000BA02}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000081423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:46.404{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FEBE-63D0-E403-00000000BA02}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000081422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:46.403{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FEBE-63D0-E403-00000000BA02}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000081421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:46.403{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FEBE-63D0-E403-00000000BA02}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000081420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:46.403{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FEBE-63D0-E403-00000000BA02}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000081419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:46.251{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FEBE-63D0-E403-00000000BA02}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:46.251{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:46.251{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:46.251{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:46.251{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:46.251{45AAC21C-ED08-63D0-0500-00000000BA02}420788C:\Windows\system32\csrss.exe{45AAC21C-FEBE-63D0-E403-00000000BA02}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000081413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:46.251{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FEBE-63D0-E403-00000000BA02}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000081412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:46.250{45AAC21C-FEBE-63D0-E403-00000000BA02}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000081411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:43.742{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local49545-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x800000000000000081410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:43.742{45AAC21C-ED18-63D0-2700-00000000BA02}2576C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local49545-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 23542300x800000000000000037300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:47.256{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C559B23B0027801AE1E7511DE56B5A1,SHA256=75CC25C2EB7C8E3B13BFF4762ED7848A62EB9C1AE609785D20CFB0ADDB108940,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:47.853{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FEBF-63D0-E603-00000000BA02}7456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:47.853{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:47.853{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:47.853{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:47.853{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:47.853{45AAC21C-ED08-63D0-0500-00000000BA02}420536C:\Windows\system32\csrss.exe{45AAC21C-FEBF-63D0-E603-00000000BA02}7456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000081438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:47.853{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FEBF-63D0-E603-00000000BA02}7456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000081437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:47.853{45AAC21C-FEBF-63D0-E603-00000000BA02}7456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000081436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:47.418{45AAC21C-FEBF-63D0-E503-00000000BA02}10483860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:47.168{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FEBF-63D0-E503-00000000BA02}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:47.168{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:47.168{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:47.168{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:47.168{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:47.168{45AAC21C-ED08-63D0-0500-00000000BA02}420788C:\Windows\system32\csrss.exe{45AAC21C-FEBF-63D0-E503-00000000BA02}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000081429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:47.168{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FEBF-63D0-E503-00000000BA02}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000081428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:47.169{45AAC21C-FEBF-63D0-E503-00000000BA02}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:47.035{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0861394C0DCEEDAAFFA5071E30A0179,SHA256=9CE41A068F1C35D19D235D888AC2C45ACD555B60AD42BDDC40005E1992BC54FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:48.356{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=560A88E23F24B4C291E697CCBFF659FC,SHA256=78BE2C70F3B52852BF6B253E05A7E815C347838819881C948A4D625D73B85570,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:48.876{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3462D5745278EDD28C4BBDAB87C0D6CA,SHA256=A5D43BA53FE1D08139B22D719D4D69C4D73F149DE4E4555E4E7CDA84D0E69888,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:45.713{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49546-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000081450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:48.154{45AAC21C-FEBF-63D0-E603-00000000BA02}74564584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000081449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:48.069{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC818DDE9B07F7288CF6BB5BCFC052D6,SHA256=7DEEA125857C4F071A4FA7DD4CEF50EC95E3CA2F478AB2A4E4D3BE7EC2364CE3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:48.069{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FEBF-63D0-E603-00000000BA02}7456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:48.069{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FEBF-63D0-E603-00000000BA02}7456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:48.069{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FEBF-63D0-E603-00000000BA02}7456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:48.069{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FEBF-63D0-E603-00000000BA02}7456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000037302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:49.457{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=435053AB252F9B68979AC4C0B65529C0,SHA256=464A50215625DE8CAB9320B3AB8D317BA1ACD62B6E04BD91AB4F67EFD6EFF606,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:49.923{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FEC1-63D0-E703-00000000BA02}4932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:49.923{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:49.923{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:49.923{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:49.923{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:49.923{45AAC21C-ED08-63D0-0500-00000000BA02}420536C:\Windows\system32\csrss.exe{45AAC21C-FEC1-63D0-E703-00000000BA02}4932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000081455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:49.923{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FEC1-63D0-E703-00000000BA02}4932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000081454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:49.924{45AAC21C-FEC1-63D0-E703-00000000BA02}4932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:49.158{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A5772C1A64F3CC17FFAEDAF4BC94532,SHA256=C0806340E691219361A0E088E7F57121DA9FBA2079C43317578D88577933854A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:50.560{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F895D919311EE6239947D9396FDB08B,SHA256=D8BE025E2277F2D2E6F3AD454FC37C32D959A80E23D57A18E139A7A9B2C96C87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:50.351{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ilosieif.default-release\datareporting\glean\db\data.safe.binMD5=EEAAA49D566DCBD1B85D2DF50ACDFAA9,SHA256=7EE0A7AEC7B1B4E90F221267476A1BBADECAAB123772AA0F73A1506820B14C5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:50.249{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03F93E513EB1B552614078ABA4F7C041,SHA256=F07710CEAAA803FC0CE613045F00FB83E2B114ABF0ACA92971BFF15017B6146D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:50.074{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FEC1-63D0-E703-00000000BA02}4932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:50.073{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FEC1-63D0-E703-00000000BA02}4932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:50.073{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FEC1-63D0-E703-00000000BA02}4932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:50.073{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FEC1-63D0-E703-00000000BA02}4932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000037304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:51.638{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68AC23629CE2EDE15233D9998B38FA93,SHA256=B1647B60CDBBDD9A02E8DDE1047E53D891C4FDDEE2FC5BFFEC9C861F4C631668,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:51.273{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF13119F046DA09BAE6B5960FF07585A,SHA256=F9ECA21294A0AD01EB25B60E145F345CDE30FC232C1CE3EE3A46738455B5E6C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:52.726{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=589061E026D03EEF698986CC0DE79114,SHA256=1F245B0EE84AAADEF7D6E66A41BC5DCE15CB928D54C3890336B0420C48F6012A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:52.307{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90FBEDB53E7B943DEBB2941548A46A09,SHA256=3BD012A52239A9DC05A20763E840991FE7264D31E5289558F0328BEA5540909A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:49.011{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50602-false10.0.1.12-8000- 23542300x800000000000000037307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:53.813{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC3407BC6279A0C1A05740F1CA67D8FC,SHA256=88D56A1C25116509646A1CF330E49C8C03DA7462A2A05500345565633B07A37F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:53.378{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AE7F116D19B2D9FB425B09862895E95,SHA256=52CF100DE4CD32877BD7F1E57E29F19E76D4AD62E737B82E8290C4FCEABDB598,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:51.656{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49547-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000037308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:54.898{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5488A4D3B2A8C4E3DB2DB0B4345176E,SHA256=2CD0B5826816B7DABDD06E9A066C5A4C9CA55DB54FED319030990F0F2F7292C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:54.427{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40381055CAE9B8909E6C5DC934732E28,SHA256=4BCAD6CC45BD919C1CE670289D4DCF240188D5571B76BD27442F3C8123EDA642,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:55.984{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAAF199C59B1A6B68A95CA808CB9105B,SHA256=C4731BEF21BFA96184F14EDFABDE5EC1E4923E9F8B49C04D91DE9B765023E2FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:55.496{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9444F247D4BD9C616B9E994C2C011ED6,SHA256=EDA2CCD11FBA41D0D3D1967451A5FE176E389FFD4204E15336864147096087AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:56.529{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8797140C3E96CC291CBD23256E159053,SHA256=11C0E6172AC09674800D0C0B50A8568343828A93DF2FA05BA788838EFFD39BFE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:56.081{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2cb0(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2c32(wow64)|C:\Windows\System32\KERNELBASE.dll+153d25(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000081474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:56.081{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2cb0(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2c32(wow64)|C:\Windows\System32\KERNELBASE.dll+153d25(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000081477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:57.602{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBADA4BA99D69EF823213D9CCAD88BAD,SHA256=783829A5874D4D9D6C4A8F5BBC560A774C728212C5DF054EBC69EBF6A5D7A4AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:57.883{72106695-ED09-63D0-2000-00000000BB02}2008NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=B976A4B71F2A5FAB35182F80200454AC,SHA256=3B9239E6708F5A9346AF48F42AABA89A34096C0FA1FA23124A284801D78DB543,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:54.013{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50603-false10.0.1.12-8000- 23542300x800000000000000037310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:57.066{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8D19F535CF62CC42155FC1E1EE4B785,SHA256=6E5597D3E8ACE93007C0423A8A212207E6FE3C1FD3EE1ECC731279CEC0E7517C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:58.655{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B92050D91DF7771FE6628C001DC60E2,SHA256=E720F2B9EE8596CAA1731A8AE541A0506E4D669D694E73B1A041A48116BD5D13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:58.164{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EB497DC7817952D993E184B11C83EA7,SHA256=5208FA9260C2E32131446CFA1C2D364926AC1CDF431092C45B16AB3C7550C5BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:56.734{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49548-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000081480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:04:59.703{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45D6579B938D6466E7F7428E4757D97A,SHA256=0F5D0E3D3A10E6278C7BF845FD85F25FACFBAD1780A23C9254BD6121183B29CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:59.245{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF59C23481DF2E3AAB87541B6F85108E,SHA256=F0B6BC429B6D1E8D4F20D540D23C2F8F6DD78E6D6835F88FDFD9B8355BD23806,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:00.987{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1200-00000000BA02}408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:00.978{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1100-00000000BA02}704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:00.932{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1000-00000000BA02}444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:00.916{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0F00-00000000BA02}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:00.908{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0E00-00000000BA02}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:00.896{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0D00-00000000BA02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:00.876{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0C00-00000000BA02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:00.812{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:00.809{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0900-00000000BA02}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 23542300x800000000000000081481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:00.734{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BCC2CBB0C0952992FD39714821CF735,SHA256=C5693E9D84F3D60A6CC281761769CC32CD27EE75F69BC9FF60E8E466199C5E83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:00.988{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1400-00000000BB02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:00.976{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1300-00000000BB02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:00.967{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1200-00000000BB02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:00.958{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1100-00000000BB02}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:00.943{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1000-00000000BB02}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:00.930{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0F00-00000000BB02}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:00.917{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0E00-00000000BB02}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:00.908{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0D00-00000000BB02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:00.893{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:00.881{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0B00-00000000BB02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:00.879{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0900-00000000BB02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 23542300x800000000000000037315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:00.337{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA8F1454A5D844AD3967B5A594328EDF,SHA256=5CC8525F2BE7207354DADE4C0A777954A28AA738C599E22F4D1235A4148CCC78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:01.481{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FFD445DA4DA1E442EBAF47D8709687C,SHA256=894C30CC598DCCCB4568BF5407CCE53D2CDC27FF5CF77230F8170F9A99BE8A84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:01.776{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55CB2A316520712B41F1D81A5F59DB7C,SHA256=2CB1360C5F7A038B1B932FD2FA35231666E10AADF2542452D094431BE3C040AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:01.709{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2E00-00000000BA02}2692C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:01.704{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:01.697{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2B00-00000000BA02}2664C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:01.126{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:01.115{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:01.102{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:01.090{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2700-00000000BA02}2576C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:01.087{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2600-00000000BA02}2568C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:01.078{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2500-00000000BA02}2484C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:01.072{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED14-63D0-2300-00000000BA02}2340C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:01.068{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1800-00000000BA02}1992C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:01.064{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1700-00000000BA02}1492C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:01.046{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1600-00000000BA02}1324C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:01.017{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1500-00000000BA02}1152C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:01.009{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1400-00000000BA02}344C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:00.999{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1300-00000000BA02}364C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000037344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:01.215{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FB5F-63D0-3102-00000000BB02}3068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:01.204{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED83-63D0-8200-00000000BB02}508C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:01.199{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED1B-63D0-6D00-00000000BB02}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:01.192{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:01.191{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-4000-00000000BB02}1980C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:01.186{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-3C00-00000000BB02}2964C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:01.185{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2B00-00000000BB02}2876C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:01.181{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2600-00000000BB02}2596C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:01.170{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2500-00000000BB02}2436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:01.158{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2200-00000000BB02}1172C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:01.143{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:01.112{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:01.103{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1C00-00000000BB02}1892C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:01.099{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1A00-00000000BB02}1856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:01.075{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1800-00000000BB02}1732C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:01.063{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1700-00000000BB02}1240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:01.040{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1600-00000000BB02}1192C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000037327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:01.000{72106695-ED09-63D0-1F00-00000000BB02}20002528C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1500-00000000BB02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 23542300x800000000000000037347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:02.618{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF37017C16BBB90B05C268F0D3899592,SHA256=379D7DB664C8DEDF6B84FB7B7A154C0A8112B1B2F274C38C66C983EEC29F68B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:04:59.971{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50604-false10.0.1.12-8000- 23542300x800000000000000081508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:02.828{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1290137C7FB613A25D99561AC2E9BA18,SHA256=347DA82933F701CFC95D1BCE02B3C0A908B1924650AAC5F7F286A4BA17259E84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:03.880{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13D3B40E9E2C79C8EF88D43CB1CC628D,SHA256=421DC5ED78BAB25DDDA31515EA0FD21B14B3298DBB8CF7868481641957D6D21D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:03.711{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3372B377615E68774D5F7A568E3EF327,SHA256=372F5BDC13C7107E618E382579C1BAB48AA3139B5002F7F560A1B31C7BE66174,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:03.740{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3300-00000000BA02}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:03.738{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3100-00000000BA02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:03.736{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2F00-00000000BA02}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 23542300x800000000000000037349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:04.788{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDE865C58196F7A243018D6CA73E82E5,SHA256=20690EEFE4DDAFB036D0C401435E0BA1EDA07A12506F41E79B7DC8E902EE44F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:04.684{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000081542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:04.676{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE59-63D0-D803-00000000BA02}8160C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:04.669{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE39-63D0-D003-00000000BA02}4868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:04.664{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE36-63D0-CF03-00000000BA02}6108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:04.647{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE36-63D0-CE03-00000000BA02}3640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:04.637{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99E-63D0-4403-00000000BA02}4716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:04.620{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4303-00000000BA02}220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:04.615{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F993-63D0-3A03-00000000BA02}5848C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:04.603{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3403-00000000BA02}8152C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:04.594{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3303-00000000BA02}5868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:04.589{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3203-00000000BA02}1380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:04.563{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3103-00000000BA02}7700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:04.496{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:04.468{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:04.460{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A202-00000000BA02}5720C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:04.452{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A102-00000000BA02}7492C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:04.434{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F3FF-63D0-5202-00000000BA02}7716C:\Program Files\Process Hacker 2\ProcessHacker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:04.429{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED93-63D0-C200-00000000BA02}5684C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:04.385{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 354300x800000000000000081524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:01.861{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49549-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000081523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:04.359{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:04.308{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:04.297{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-8E00-00000000BA02}432C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:04.280{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4D-63D0-8900-00000000BA02}4888C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:04.265{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED36-63D0-8100-00000000BA02}4176C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:04.263{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED35-63D0-7F00-00000000BA02}3432C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:04.259{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED2C-63D0-7B00-00000000BA02}532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:04.254{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:04.253{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1B-63D0-4500-00000000BA02}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:04.249{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-4100-00000000BA02}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:04.248{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-3800-00000000BA02}3276C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 23542300x800000000000000037350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:05.874{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C0978F3CE6D0F3435464B575C941C5C,SHA256=0CA34724CFCBB141DB774B0DCAD244E54388A57EDEA73B04A3340F199934C5EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:05.080{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BEC20836DB752FD351F634A09DC57F0,SHA256=151CA926BCB5DC179A7CF7B49B0866ABC6A6F3D7A33DE95114B1099C11D9897D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:06.973{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C634BD78ED4ED52E5D36DBABEF9D9B4D,SHA256=0E8C863A397A2E546CBCC4C97D518B849550F66A6DFF84B24BF7CE3CF2FD202D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:06.202{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FA533294F4FAECF462EA209D5B83275,SHA256=C9545A0E5B910A82995B8BD0DEF69F43613D76E505BFAFF0D182E576B1E041A6,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000081551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-25 10:05:07.319{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\90005E51-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_90005E51-0000-0000-0000-100000000000.XML 13241300x800000000000000081550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-25 10:05:07.319{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\3043171C-3022-4C0A-A8DB-5CE9390B74BF\Config SourceDWORD (0x00000001) 13241300x800000000000000081549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-25 10:05:07.319{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\3043171C-3022-4C0A-A8DB-5CE9390B74BF\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_3043171C-3022-4C0A-A8DB-5CE9390B74BF.XML 10341000x800000000000000081548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:07.304{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:07.304{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000081546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:07.251{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8F45FDF1E89C0B529402F27AD8A74E9,SHA256=64802307AE09BFA95CD484742518631A6046B26A693F05B3795B2B6EAACD2A17,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:05.161{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50605-false10.0.1.12-8000- 10341000x800000000000000081560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:08.989{45AAC21C-ED08-63D0-0B00-00000000BA02}636812C:\Windows\system32\lsass.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:08.989{45AAC21C-ED08-63D0-0B00-00000000BA02}636812C:\Windows\system32\lsass.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:08.989{45AAC21C-ED08-63D0-0B00-00000000BA02}636812C:\Windows\system32\lsass.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000081557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:06.938{45AAC21C-ED0A-63D0-0D00-00000000BA02}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local49550-truefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local135epmap 354300x800000000000000081556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:06.938{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local49550-truefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local135epmap 23542300x800000000000000081555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:08.321{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E144CD9579F194AC8A9B742CA65C182,SHA256=8D84C1729F4118D8CE7327EDD5C4FFBE3749F55E9020842C10EEE187486A7BA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:08.123{72106695-ED09-63D0-1C00-00000000BB02}1892NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\respondent-20230125084915-073MD5=4A845FE96E1CB901D2D7264E475C5D0A,SHA256=805658FE4E43678F2368D193C16F752D5AE58460E17C63B3F32526AFB5DF27A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:08.073{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A636E20B67A7D5B58C12E3A60F5B97A9,SHA256=E913C0ED2AC4A35BCB93C9AF8DAE603DC0DB1A16702A3B6877B31FE2D6E5F614,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:08.152{45AAC21C-ED08-63D0-0B00-00000000BA02}636812C:\Windows\system32\lsass.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:08.152{45AAC21C-ED08-63D0-0B00-00000000BA02}636812C:\Windows\system32\lsass.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:08.152{45AAC21C-ED08-63D0-0B00-00000000BA02}636812C:\Windows\system32\lsass.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000081568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:07.784{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49551-false10.0.1.14win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x800000000000000081567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:07.783{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49551-false10.0.1.14win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x800000000000000081566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:06.962{45AAC21C-ED0A-63D0-1500-00000000BA02}1152C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:9800:b205:bd9:ffff-62240-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x800000000000000081565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:06.961{45AAC21C-ED0A-63D0-1500-00000000BA02}1152C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local62240-trueff02:0:0:0:0:0:1:3-5355llmnr 23542300x800000000000000081564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:09.407{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD221E05404A55324BF9A412C75AFE78,SHA256=4B52D4E3A243944ADD7D9FD13E60FC4A9039BC49D358D24DB08EDC9C4B83F4F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:09.176{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0B76605E3874974A825760077812783,SHA256=86B84211F7F4390851D92DC475EC261FE052BAA89C5DDB492FC3AB4F724F8B62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:09.131{72106695-ED09-63D0-1C00-00000000BB02}1892NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\surveyor-20230125084913-074MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:09.269{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EDDE73FF6C5D011297BD0B88C1332984,SHA256=92298861F9E836A81E231C9A30306D25B58E63DD0E2D73CBEB0F72BE3D1A91E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:09.153{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:09.153{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000081572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:08.617{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49553-false10.0.1.14win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x800000000000000081571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:08.617{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49553-false10.0.1.14win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x800000000000000081570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:07.815{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49552-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000081569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:10.440{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43C8EA5AB0C34D6C441D0BB71788D07C,SHA256=E8A8A58CF3F06D6FDD0158F71A5968870E5728FB81D1A284AB0F9008E8F6432D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:10.175{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57A98015139D3619CE977F7CCDF3C077,SHA256=76D604D06B59FAFF0B204876D58EEE68625FF05BCAC5865055CB03244B359FA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:11.526{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE761C9B2BFEE305E551F78540E55C73,SHA256=F6C967482F2E45FC155AC4E7131877B3E3372040143B0F2DE9117FE011D6026A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:11.255{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B39360B02267F431DB356FEFE65F7BDC,SHA256=7F4668CAB0BD8C0E6FDAA3EEB89A803A9FD4E6EDAAFC5146C951D01D638D9904,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:12.354{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23A2AA7B1F70188C3C61917FC42C7528,SHA256=954BCEBFDCDC26DB0C3077FA1E01AF229D2C91DD671B96675979A9D98844AA5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:12.579{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A4EE7F3289B88EC4DE74423C0D0FA99,SHA256=973210D92ECE5CC917020850AEFDB9C5EE261122B18D004B6FC57CB82F55115D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:11.094{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50606-false10.0.1.12-8000- 23542300x800000000000000037360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:13.446{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB7DDE4302AEFE136622D7CF713EF1C7,SHA256=BF2C80FACF818386F946754ED188F84208CB0C286A3CBD97C0A1F55B138FE148,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:13.663{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB8A1D5934D682244407144D33174DE0,SHA256=09D966094B8C781350A1C44D48836E806F517D5AA7EB78D5996B85DFF40F6D3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:14.681{72106695-ED08-63D0-1100-00000000BB02}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=0FF36BE0C2C7EC12361E155B053991A0,SHA256=AC20EE9D5DB19F8AC072DFE333C1C6E3A86A22CDF2A95ACDA2340AB95B9F8449,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:14.540{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22EBD839044B7B073392E09F8106F66E,SHA256=FEE0F89F6A67DC06041372F748FDEBBBAD3FB15A8255676C25A77F2C311369E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:14.682{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=336003F81C7AD70FDEA0436D049E710B,SHA256=B22E11F152E0997316CA9624C3C4C379762308BAAA6A88BB3F69B319514F81E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:14.047{45AAC21C-ED18-63D0-2C00-00000000BA02}2672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=279193C52A4A6952613CB8DC6645391A,SHA256=B63BD827E3F825F5097BD6D59C6E2EBC89A23F531C4D107E273D44683E06ED4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:15.610{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C0595A6B9B15E00E16567A07878030B,SHA256=082A6BB33DBA10D529C38A668E491164BA7003F205FE609B71B80559D638A16B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:15.967{45AAC21C-ED0A-63D0-1100-00000000BA02}704NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=1D6FE8A9F33987722DA350127B0FAD0A,SHA256=BDF5832F2D968904B8AB978EE3336C38A70DE6731448D5409AA7C18D9C0345D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:15.748{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B4E7ECBD475DD574BBCAC840EBE8E2F,SHA256=D3304E196037D8C62119B4A72A903105BA58217D795740AA3D7A65175624E686,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:13.679{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49554-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000081581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:16.837{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81B3EC09095AA5F8E3BE7A9F1D3E4B16,SHA256=5BEBF851554877C4F277E2164C6AD5C9004314AC39B3B1802D65E49B5A1A2AD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:16.704{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20975D764376AE48BA30557847D17E19,SHA256=8E1B3BCBB6DF7392D4F577F0EFF59FC2B93092B26A0D41F3338960F3D972693A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:17.858{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF0BC1E08E3383B16672D0F25B8588E0,SHA256=E6150518083F84E739214608D7CA5C435A55318447E922D9CC3E220F86C18A39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:17.803{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0E86AEA84BFC82799364437DF4F2436,SHA256=0190A977460CE034C4C222694FB5B1BA3ED88113D2E9E34262265AA6CC3DB630,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:18.909{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB3B1C4DA4F583994F119FED541B6D19,SHA256=EF7B22A27530D28A9419C9099CC17F2198FF51A46F5D5E1B097289FFE386FACF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:18.897{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB9A6A0720F9C10C83D8122D08679631,SHA256=812B43216A4FAAE71131BC45C58EAC91E58D83F2EC59E5B47E70F82B4C5324BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:18.611{45AAC21C-ED18-63D0-2C00-00000000BA02}2672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:19.994{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8EAB2DE885066BB301ABCFCF5B87F4E,SHA256=62F0E2CB66375827D6826EB7CD113CAAB6BAA30A3CA485285C671335F06DAE1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:19.961{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=928ED81201B367078655E1B68E25D64A,SHA256=C159E7F16F250E62A143F9C98EE506625EE221D69189882F7BC8C5F560F6E858,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:16.992{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50607-false10.0.1.12-8000- 10341000x800000000000000037383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:20.999{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1700-00000000BB02}1240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000081595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:20.988{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1100-00000000BA02}704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000037382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:20.979{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1600-00000000BB02}1192C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000037381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:20.955{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1500-00000000BB02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000037380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:20.948{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1400-00000000BB02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000037379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:20.942{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1300-00000000BB02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000037378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:20.935{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1200-00000000BB02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000037377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:20.923{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1100-00000000BB02}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000037376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:20.916{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1000-00000000BB02}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000037375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:20.911{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0F00-00000000BB02}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000037374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:20.907{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0E00-00000000BB02}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000037373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:20.899{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0D00-00000000BB02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000037372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:20.894{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000037371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:20.892{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0B00-00000000BB02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000037370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:20.889{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0900-00000000BB02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000081594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:20.937{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1000-00000000BA02}444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000081593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:20.914{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0F00-00000000BA02}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000081592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:20.892{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0E00-00000000BA02}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000081591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:20.875{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0D00-00000000BA02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000081590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:20.866{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0C00-00000000BA02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000081589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:20.815{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000081588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:20.812{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0900-00000000BA02}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 354300x800000000000000081587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:18.793{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49556-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000081586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:18.225{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49555-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000037399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:21.089{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFFFBB0545161D921F11B76E0670BCC5,SHA256=F3F3EA13A56E4EEF3B1DFFCEEBF59140AFE7CF6A951BC1E6E4B0E4AC89E90E0B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:21.069{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FB5F-63D0-3102-00000000BB02}3068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000037397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:21.064{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED83-63D0-8200-00000000BB02}508C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000037396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:21.061{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED1B-63D0-6D00-00000000BB02}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000037395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:21.059{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000037394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:21.055{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-4000-00000000BB02}1980C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000037393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:21.051{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-3C00-00000000BB02}2964C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000037392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:21.049{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2B00-00000000BB02}2876C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000037391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:21.048{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2600-00000000BB02}2596C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000037390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:21.046{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2500-00000000BB02}2436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000037389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:21.036{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2200-00000000BB02}1172C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000037388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:21.032{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000037387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:21.021{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000037386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:21.018{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1C00-00000000BB02}1892C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000037385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:21.014{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1A00-00000000BB02}1856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000037384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:21.005{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1800-00000000BB02}1732C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000081613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:21.689{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2E00-00000000BA02}2692C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000081612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:21.685{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000081611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:21.681{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2B00-00000000BA02}2664C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000081610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:21.114{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000081609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:21.109{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000081608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:21.102{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000081607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:21.092{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2700-00000000BA02}2576C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000081606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:21.089{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2600-00000000BA02}2568C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000081605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:21.082{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2500-00000000BA02}2484C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000081604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:21.078{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED14-63D0-2300-00000000BA02}2340C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000081603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:21.073{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1800-00000000BA02}1992C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000081602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:21.070{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1700-00000000BA02}1492C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000081601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:21.059{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1600-00000000BA02}1324C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000081600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:21.034{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1500-00000000BA02}1152C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000081599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:21.027{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1400-00000000BA02}344C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000081598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:21.016{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1300-00000000BA02}364C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 23542300x800000000000000081597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:21.007{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F7D291FBAE8B575F7EC77B11CE3E096,SHA256=7EEF6EAB79761B226E80E2EF605B5C21561062308C67D20A8078BF311627977D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:21.000{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1200-00000000BA02}408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 23542300x800000000000000037400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:22.088{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACC8F258E4C2B2762BDF67FCAE9BD196,SHA256=D724A6D8523110ADB4CB0175F93723185C4D86427A524E3D07627C0C4AE52EBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:22.893{45AAC21C-ED18-63D0-2F00-00000000BA02}2700NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\respondent-20230125084931-073MD5=FB1204BD5E1FCB9F00F3D30191CDD410,SHA256=AD3DE377B45C073DC7811942D8C17D2EDF88FCE93F4C4FD49345F5808DA79585,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:22.792{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FEE2-63D0-E803-00000000BA02}7188C:\Windows\SysWOW64\cmd.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000081663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:22.792{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FEE2-63D0-E803-00000000BA02}7188C:\Windows\SysWOW64\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000081662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:22.792{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FEE2-63D0-E803-00000000BA02}7188C:\Windows\SysWOW64\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 11241100x800000000000000081661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.localT10532023-01-25 10:05:22.784{45AAC21C-ED0A-63D0-1000-00000000BA02}444C:\Windows\system32\svchost.exeC:\Windows\System32\Tasks\Roaming2023-01-25 10:05:22.784 10341000x800000000000000081660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:22.771{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-FEE2-63D0-EA03-00000000BA02}6484C:\Windows\SysWOW64\schtasks.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:22.771{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-FEE2-63D0-EA03-00000000BA02}6484C:\Windows\SysWOW64\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:22.749{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-FEE2-63D0-EA03-00000000BA02}6484C:\Windows\SysWOW64\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:22.732{45AAC21C-FEE2-63D0-E903-00000000BA02}35161280C:\Windows\system32\conhost.exe{45AAC21C-FEE2-63D0-EA03-00000000BA02}6484C:\Windows\SysWOW64\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:22.700{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:22.700{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:22.700{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:22.700{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:22.700{45AAC21C-ED35-63D0-7E00-00000000BA02}12363556C:\Windows\system32\csrss.exe{45AAC21C-FEE2-63D0-EA03-00000000BA02}6484C:\Windows\SysWOW64\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000081651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:22.700{45AAC21C-FEE2-63D0-E803-00000000BA02}71886980C:\Windows\SysWOW64\cmd.exe{45AAC21C-FEE2-63D0-EA03-00000000BA02}6484C:\Windows\SysWOW64\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9888(wow64)|C:\Windows\System32\KERNELBASE.dll+d856c(wow64)|C:\Windows\SysWOW64\cmd.exe+ebb2|C:\Windows\SysWOW64\cmd.exe+69f6|C:\Windows\SysWOW64\cmd.exe+68fd|C:\Windows\SysWOW64\cmd.exe+c912|C:\Windows\SysWOW64\cmd.exe+c161|C:\Windows\SysWOW64\cmd.exe+8553|C:\Windows\SysWOW64\cmd.exe+c1fc|C:\Windows\SysWOW64\cmd.exe+10c43|C:\Windows\SysWOW64\cmd.exe+1499f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64) 154100x800000000000000081650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:22.704{45AAC21C-FEE2-63D0-EA03-00000000BA02}6484C:\Windows\SysWOW64\schtasks.exe10.0.14393.0 (rs1_release.160715-1616)Task Scheduler Configuration ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationsctasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Roaming" /tr '"C:\Users\Administrator\AppData\Roaming\asyncrat.exe"' C:\Users\Administrator\Downloads\asyncrat\bin\ATTACKRANGE\Administrator{45AAC21C-ED4C-63D0-BD09-0A0000000000}0xa09bd2HighMD5=4B95F8D55CD14BD3D38BF24A521D3577,SHA256=CAA9AF113C1682AD8A6644342B37D96AA544F1AF712D446BD29EF9F12BA30CA0,IMPHASH=BEF0464378C9F8D07E6BF56FFE61864B{45AAC21C-FEE2-63D0-E803-00000000BA02}7188C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Roaming" /tr '"C:\Users\Administrator\AppData\Roaming\asyncrat.exe"' & exit 10341000x800000000000000081649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:22.700{45AAC21C-ED0A-63D0-1300-00000000BA02}3643180C:\Windows\System32\svchost.exe{45AAC21C-FEE2-63D0-EA03-00000000BA02}6484C:\Windows\SysWOW64\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:22.681{45AAC21C-ED0A-63D0-1000-00000000BA02}4442096C:\Windows\system32\svchost.exe{45AAC21C-FEE2-63D0-E903-00000000BA02}3516C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:22.681{45AAC21C-ED0A-63D0-1000-00000000BA02}4441360C:\Windows\system32\svchost.exe{45AAC21C-FEE2-63D0-E903-00000000BA02}3516C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:22.667{45AAC21C-FEE2-63D0-E903-00000000BA02}35161280C:\Windows\system32\conhost.exe{45AAC21C-FEE2-63D0-E803-00000000BA02}7188C:\Windows\SysWOW64\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:22.650{45AAC21C-ED35-63D0-7E00-00000000BA02}12363556C:\Windows\system32\csrss.exe{45AAC21C-FEE2-63D0-E903-00000000BA02}3516C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000081644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:22.650{45AAC21C-ED0A-63D0-1300-00000000BA02}3643180C:\Windows\System32\svchost.exe{45AAC21C-FEE2-63D0-E903-00000000BA02}3516C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:22.650{45AAC21C-F6CE-63D0-DF02-00000000BA02}3686288C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+ef36b(wow64)|UNKNOWN(0000000009C17D73)|UNKNOWN(0000000008B95E81)|UNKNOWN(0000000008B95DF5)|UNKNOWN(0000000008B95D1E)|UNKNOWN(0000000008B95C2A)|UNKNOWN(000000000AC7025C)|UNKNOWN(000000000AB3F645)|UNKNOWN(000000000AB3F4FE)|UNKNOWN(000000000AB3F438)|C:\Users\Administrator\Downloads\dnSpy-net-win32\bin\System.Private.CoreLib.dll+2575d1(wow64)|UNKNOWN(0000000019A9CB1A) 10341000x800000000000000081642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:22.650{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:22.650{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:22.650{45AAC21C-ED35-63D0-7E00-00000000BA02}12364912C:\Windows\system32\csrss.exe{45AAC21C-FEE2-63D0-E803-00000000BA02}7188C:\Windows\SysWOW64\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000081639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:22.635{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:22.635{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:22.635{45AAC21C-FE6D-63D0-D903-00000000BA02}48165640C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin{45AAC21C-FEE2-63D0-E803-00000000BA02}7188C:\Windows\SysWOW64\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9888(wow64)|C:\Windows\System32\KERNELBASE.dll+d856c(wow64)|C:\Windows\System32\windows.storage.dll+1c6716(wow64)|C:\Windows\System32\windows.storage.dll+1c63d1(wow64)|C:\Windows\System32\windows.storage.dll+1c64a3(wow64)|C:\Windows\System32\windows.storage.dll+1c7175(wow64)|C:\Windows\System32\windows.storage.dll+1c6021(wow64)|C:\Windows\System32\windows.storage.dll+1c8182(wow64)|C:\Windows\System32\windows.storage.dll+1c85ec(wow64)|C:\Windows\System32\windows.storage.dll+1c8035(wow64)|C:\Windows\System32\shell32.dll+1a9394(wow64)|C:\Windows\System32\shell32.dll+1a926e(wow64)|C:\Windows\System32\shell32.dll+1431da(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000081636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:22.645{45AAC21C-FEE2-63D0-E803-00000000BA02}7188C:\Windows\SysWOW64\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Roaming" /tr '"C:\Users\Administrator\AppData\Roaming"' & exitC:\Users\Administrator\Downloads\asyncrat\bin\ATTACKRANGE\Administrator{45AAC21C-ED4C-63D0-BD09-0A0000000000}0xa09bd2HighMD5=0FEC5F30E705EADAEA5E9144F2FB12DC,SHA256=614CA7B627533E22AA3E5C3594605DC6FE6F000B0CC2B845ECE47CA60673EC7F,IMPHASH=B20DE9D5F257E3C5BDD2834F89FC042A{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin"C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin" 10341000x800000000000000081635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:22.635{45AAC21C-ED0A-63D0-1300-00000000BA02}3643180C:\Windows\System32\svchost.exe{45AAC21C-FEE2-63D0-E803-00000000BA02}7188C:\Windows\SysWOW64\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:22.635{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000081633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:22.635{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000081632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:22.618{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000081631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:22.597{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000081630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:22.597{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000081629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:22.581{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2cb0(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2c32(wow64)|C:\Windows\System32\KERNELBASE.dll+153d25(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000081628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:22.581{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2cb0(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2c32(wow64)|C:\Windows\System32\KERNELBASE.dll+153d25(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000081627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:22.581{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000081626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:22.566{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000081625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:22.550{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000081624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:22.517{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000081623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:22.517{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2cb0(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2c32(wow64)|C:\Windows\System32\KERNELBASE.dll+153d25(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000081622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:22.517{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:22.517{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2cb0(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2c32(wow64)|C:\Windows\System32\KERNELBASE.dll+153d25(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000081620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:22.517{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000081619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:22.497{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2cb0(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2c32(wow64)|C:\Windows\System32\KERNELBASE.dll+153d25(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000081618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:22.497{45AAC21C-ED0A-63D0-1000-00000000BA02}4442096C:\Windows\system32\svchost.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:22.497{45AAC21C-ED0A-63D0-1000-00000000BA02}4441360C:\Windows\system32\svchost.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:22.481{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x10C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+320de|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+7066c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2fce(wow64)|C:\Windows\System32\KERNELBASE.dll+153ccc(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000081615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:22.481{45AAC21C-F6CE-63D0-DF02-00000000BA02}3682604C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2cb0(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a2c32(wow64)|C:\Windows\System32\KERNELBASE.dll+153d25(wow64)|C:\Windows\System32\KERNELBASE.dll+153c72(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+6a1ef(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2c378(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll+2de36(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000081614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:22.033{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A93D72C1B9C01AD232D50B312FB101C,SHA256=1B4F1814A3FB427127F9EDCEFA7DEEAC18CBC8FAAA05DF1FFF3EB819FA7903C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:23.237{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED08-63D0-0B00-00000000BB02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:23.237{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED08-63D0-0B00-00000000BB02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:23.237{72106695-ED08-63D0-0B00-00000000BB02}6243468C:\Windows\system32\lsass.exe{72106695-ED08-63D0-1500-00000000BB02}108C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:23.219{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1F00-00000000BB02}2000C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000037401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:23.158{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFCDCD6E3EBFB81838347BA1DFF1323F,SHA256=194BAC7148F23298183FDBC09439D210D6EBBC6E7FDED6BD1A1B05C12119A12B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:23.893{45AAC21C-ED18-63D0-2F00-00000000BA02}2700NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\surveyor-20230125084929-074MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:23.861{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=F87BC4079098BB00D175B3E0290A116B,SHA256=73153ABDB9BE2667D89528379189C38F916534236365CC925EFA8F61AF133985,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:23.711{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3300-00000000BA02}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000081670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:23.708{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3100-00000000BA02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 23542300x800000000000000081669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:23.708{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04B5EA45C40CF709895EA7CC42DE4398,SHA256=DDAEB90212BDC5F3C5BAF9258BFD7FFDA3888F78658A2A987CD17B550ACF23B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:23.706{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2F00-00000000BA02}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 23542300x800000000000000081667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:23.171{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B9310CB37BFF2B1789A29430ABAD761,SHA256=F2BD1F44E71306A5DC8BB6DC5003BFF9C69A59A726A3DDDE5CF6D3755C19326D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:23.171{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48F52BA1E2B7F51FF262C9F6AF2ABD69,SHA256=1657D8CB4B8BCC045315D050AF72705DA8AF5A3515583136A8F11B4862043FFF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:22.127{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50608-false10.0.1.12-8000- 23542300x800000000000000037406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:24.256{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=610D67F186B28AA92554733386A9B7BA,SHA256=4E51AAC1945333068D6EFFA71096E973AD510479F968DE2968D17DDC30C93614,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:24.569{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000081703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:24.564{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE59-63D0-D803-00000000BA02}8160C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000081702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:24.561{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE39-63D0-D003-00000000BA02}4868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000081701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:24.558{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE36-63D0-CF03-00000000BA02}6108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000081700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:24.547{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE36-63D0-CE03-00000000BA02}3640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000081699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:24.538{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99E-63D0-4403-00000000BA02}4716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000081698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:24.526{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4303-00000000BA02}220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000081697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:24.518{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F993-63D0-3A03-00000000BA02}5848C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000081696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:24.514{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3403-00000000BA02}8152C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000081695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:24.510{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3303-00000000BA02}5868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000081694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:24.508{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3203-00000000BA02}1380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000081693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:24.494{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3103-00000000BA02}7700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000081692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:24.455{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000081691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:24.414{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000081690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:24.412{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A202-00000000BA02}5720C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000081689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:24.409{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A102-00000000BA02}7492C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000081688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:24.401{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F3FF-63D0-5202-00000000BA02}7716C:\Program Files\Process Hacker 2\ProcessHacker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000081687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:24.396{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED93-63D0-C200-00000000BA02}5684C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000081686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:24.340{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000081685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:24.316{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000081684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:24.283{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000081683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:24.272{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-8E00-00000000BA02}432C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000081682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:24.256{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4D-63D0-8900-00000000BA02}4888C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000081681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:24.239{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED36-63D0-8100-00000000BA02}4176C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000081680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:24.237{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED35-63D0-7F00-00000000BA02}3432C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000081679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:24.233{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED2C-63D0-7B00-00000000BA02}532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000081678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:24.227{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000081677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:24.227{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1B-63D0-4500-00000000BA02}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 23542300x800000000000000081676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:24.225{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA1F1BFC7D0F1A2A36C157A34B919407,SHA256=C7B8DE72DB34F166C44656A578758597FC5D641474B704E3EFC07A579E2248A9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:24.223{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-4100-00000000BA02}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 10341000x800000000000000081674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:24.221{45AAC21C-ED5C-63D0-A400-00000000BA02}53204412C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-3800-00000000BA02}3276C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80A90) 23542300x800000000000000037408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:25.325{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9F2040316C9127B3E265B24A805E086,SHA256=F76B106F172DEAA284B5E9EE71F662E63924E099E32C49365685D5026D8C2028,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:23.873{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49557-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000081709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:25.307{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF0DFFBF4C46E83B8D94FACC6DF84680,SHA256=B67D4D47D87E223AD1EBFC8B73A9849DC9F36DA7F479F8C5C12604F7B8394594,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:25.276{45AAC21C-ED08-63D0-0B00-00000000BA02}6367276C:\Windows\system32\lsass.exe{45AAC21C-ED06-63D0-0100-00000000BA02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97b62|C:\Windows\system32\kerberos.DLL+79e38|C:\Windows\system32\kerberos.DLL+144ff|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+2d8f6|C:\Windows\system32\lsasrv.dll+33189|C:\Windows\system32\lsasrv.dll+30ad7|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+17a7d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000081707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:25.260{45AAC21C-ED08-63D0-0B00-00000000BA02}6367276C:\Windows\system32\lsass.exe{45AAC21C-ED0A-63D0-1500-00000000BA02}1152C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:25.175{45AAC21C-ED08-63D0-0B00-00000000BA02}6367276C:\Windows\system32\lsass.exe{45AAC21C-ED0A-63D0-1000-00000000BA02}444C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:25.160{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-ED0A-63D0-1000-00000000BA02}444C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000081716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:24.902{45AAC21C-ED0A-63D0-1500-00000000BA02}1152C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local49560-truefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local135epmap 23542300x800000000000000081715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:26.345{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42AF0D00E5C7ACE18F3B24515BA2BBA0,SHA256=9762DD53B0946038AD488509F04E121CBE06D53991A3F5655518E6D90709A276,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:26.809{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FEE6-63D0-9C02-00000000BB02}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:26.809{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:26.809{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:26.809{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:26.809{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:26.809{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:26.809{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:26.809{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:26.809{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:26.809{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:26.809{72106695-ED07-63D0-0500-00000000BB02}408524C:\Windows\system32\csrss.exe{72106695-FEE6-63D0-9C02-00000000BB02}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:26.809{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FEE6-63D0-9C02-00000000BB02}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:26.810{72106695-FEE6-63D0-9C02-00000000BB02}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000037423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:26.444{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D16A350AFDFDB8C19B68F2A994CE5AB0,SHA256=DA44A214D24C91C4FDDC653A6AFE21C888AAC80B014DA654FA2F5BDE481786AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:26.382{72106695-ED09-63D0-2000-00000000BB02}2008NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:26.319{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FEE6-63D0-9B02-00000000BB02}1768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:26.319{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:26.319{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:26.319{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:26.319{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:26.319{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:26.319{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:26.319{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:26.319{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:26.319{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:26.319{72106695-ED07-63D0-0500-00000000BB02}408524C:\Windows\system32\csrss.exe{72106695-FEE6-63D0-9B02-00000000BB02}1768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:26.319{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FEE6-63D0-9B02-00000000BB02}1768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:26.320{72106695-FEE6-63D0-9B02-00000000BB02}1768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000081714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:24.808{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49559-false10.0.1.14win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x800000000000000081713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:24.808{45AAC21C-ED0A-63D0-1000-00000000BA02}444C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49559-false10.0.1.14win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x800000000000000081712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:24.796{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local49558-truefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x800000000000000081711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:24.796{45AAC21C-ED0A-63D0-1000-00000000BA02}444C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local49558-truefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local389ldap 23542300x800000000000000037453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:27.523{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E0CC546BEFC9C88914F1C7F67959F2B,SHA256=45B7BBC125D6AD03C9F60AF8F805F347126DC1830F3FBC468B827620341C2B25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:27.427{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4BE6F50E8509B9CF0E770D098CF789F,SHA256=999ADFB8527CF814DA7309C3B301CA7019FAD8B536F2175C9231FF8EA273A41C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:27.411{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FEE7-63D0-9D02-00000000BB02}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:27.411{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:27.411{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:27.411{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:27.411{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:27.411{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:27.411{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:27.411{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:27.411{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:27.411{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:27.411{72106695-ED07-63D0-0500-00000000BB02}408424C:\Windows\system32\csrss.exe{72106695-FEE7-63D0-9D02-00000000BB02}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:27.411{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FEE7-63D0-9D02-00000000BB02}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:27.412{72106695-FEE7-63D0-9D02-00000000BB02}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000081723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:24.909{45AAC21C-ED06-63D0-0100-00000000BA02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local49562-truefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local445microsoft-ds 354300x800000000000000081722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:24.908{45AAC21C-ED06-63D0-0100-00000000BA02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local49562-truefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local445microsoft-ds 354300x800000000000000081721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:24.903{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local49561-truefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local49666- 354300x800000000000000081720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:24.903{45AAC21C-ED0A-63D0-1500-00000000BA02}1152C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local49561-truefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local49666- 354300x800000000000000081719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:24.902{45AAC21C-ED0A-63D0-0D00-00000000BA02}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local49560-truefe80:0:0:0:9d7a:ca00:70f:19a2win-dc-ctus-attack-range-460.attackrange.local135epmap 23542300x800000000000000081718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:27.464{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ilosieif.default-release\datareporting\glean\db\data.safe.binMD5=3EC569D62407198C46B62E1C65C86E2E,SHA256=11A6763198C5EC09BAE190FD1A4558FA7703DA41117E7C3227711B5E78E8DE57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:27.379{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78778C7ACF4C26BFF0368B1C4CBA5D26,SHA256=90CC519E76E9C1A38927175340990C97C2F8DFBE6BA203E5655DBA2457122731,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:27.193{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=D6BF32FBFEAC72D0C56B403CC2CE7EF2,SHA256=9180085E36ABD09562B2100B37F43393E7C88043B1C217555CDA20417B0BC992,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:27.014{72106695-FEE6-63D0-9C02-00000000BB02}3972632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:28.753{72106695-FEE8-63D0-9E02-00000000BB02}1996952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:28.582{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FEE8-63D0-9E02-00000000BB02}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:28.582{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:28.582{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:28.582{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:28.582{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:28.582{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:28.582{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:28.582{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:28.582{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:28.582{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:28.582{72106695-ED07-63D0-0500-00000000BB02}408424C:\Windows\system32\csrss.exe{72106695-FEE8-63D0-9E02-00000000BB02}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:28.582{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FEE8-63D0-9E02-00000000BB02}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:28.582{72106695-FEE8-63D0-9E02-00000000BB02}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000037456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:28.519{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ED10A1B2612D9ADD127D23547492C9D,SHA256=B7942FFD38CE01AE5FE4A756D065F9EB634ECF667F4BD3C3FEA756D42E7E213C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:28.954{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=6DA68E1789DEE0D793B03FBDF1E44E0F,SHA256=E1AB96ECACD4052A93255022AA522804B35FF833D3D2FD35C04AA8EBBC9D46C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:28.452{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D77DEAFE5D1463D5B173B7E3116DCAE2,SHA256=6EEABA1066A8E8C7E28FC2A9C4386C0853C3E4ED21F99E4241DB270222B8D0A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:25.263{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50609-false10.0.1.12-8089- 23542300x800000000000000037454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:28.116{72106695-ED09-63D0-2000-00000000BB02}2008NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=B55C966DE50388C4930A7CA58B46AE5E,SHA256=0BFDA2D316F2263B1B666A69F2F8667B80072EF35F10FD28948CF0180848C8B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:29.620{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E11A50833FD9EA73FC8EC8700428C78,SHA256=C1FB3499114B12EBCF4B8C0D51CA316D1122A63F59581CA98A726DBB6340D692,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:29.517{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=987828FBBF4757A28A892A6228DC2D54,SHA256=40C8CEBF4176D93E86ACFB1A349B3B190451EE7DB7D42FB1AA4342BEBCE533EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:29.233{45AAC21C-ED08-63D0-0B00-00000000BA02}636772C:\Windows\system32\lsass.exe{45AAC21C-ED0A-63D0-1500-00000000BA02}1152C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:30.959{72106695-FEEA-63D0-A002-00000000BB02}14161448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:30.772{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FEEA-63D0-A002-00000000BB02}1416C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:30.772{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:30.772{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:30.772{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:30.772{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:30.772{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:30.772{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:30.772{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:30.772{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:30.772{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:30.772{72106695-ED07-63D0-0500-00000000BB02}4082644C:\Windows\system32\csrss.exe{72106695-FEEA-63D0-A002-00000000BB02}1416C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:30.772{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FEEA-63D0-A002-00000000BB02}1416C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:30.773{72106695-FEEA-63D0-A002-00000000BB02}1416C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000037489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:30.724{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8D073BA2694F6F80ED0B479099C621E,SHA256=C408FA6CC608BDD6448267776551769FC6576A7FA2FCEF4012F536C4F5A01CE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:30.588{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ilosieif.default-release\datareporting\aborted-session-pingMD5=74AD28D2EB288C975865C1BA14790C1B,SHA256=0F025D407BA33DCFC45BC1AA3E5B9F38CFD864FC61EC6D6C6DE939FA3F4F62A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:30.572{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0B238C286E01E4CC898DBD6DAC977A6,SHA256=2B7C7EDE706E57BCE14EB2333F9CC5F497545C957B113D7A861F1D41D20F6860,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:30.330{72106695-FEEA-63D0-9F02-00000000BB02}9362936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:30.304{72106695-ED09-63D0-1F00-00000000BB02}20002816C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FEEA-63D0-9F02-00000000BB02}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D383D0) 10341000x800000000000000037486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:30.304{72106695-ED09-63D0-1F00-00000000BB02}20002816C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FEEA-63D0-9F02-00000000BB02}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D383D0) 10341000x800000000000000037485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:30.304{72106695-ED09-63D0-1F00-00000000BB02}20002816C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FEEA-63D0-9F02-00000000BB02}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D383D0) 10341000x800000000000000037484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:30.088{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FEEA-63D0-9F02-00000000BB02}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:30.088{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:30.088{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:30.088{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:30.088{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:30.088{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:30.088{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:30.088{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:30.088{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:30.088{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:30.088{72106695-ED07-63D0-0500-00000000BB02}408424C:\Windows\system32\csrss.exe{72106695-FEEA-63D0-9F02-00000000BB02}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:30.088{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FEEA-63D0-9F02-00000000BB02}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:30.089{72106695-FEEA-63D0-9F02-00000000BB02}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000037505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:31.824{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05D5DA159EA9C90B7B324190EF705756,SHA256=0EB51B7A728096DBFF94B7F7150A3F019B3218B12CB1D3586D079E4F631ED714,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:29.851{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49563-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000081730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:31.621{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C63713A5E84E6F7E5F7BF19CEC8B68C,SHA256=8E5EEEF4283D8CFD52A2EF25FCE49E537FA2354C928AFD2044CF87A5B8BB0488,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:28.009{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50610-false10.0.1.12-8000- 10341000x800000000000000037519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:32.924{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FEEC-63D0-A102-00000000BB02}2140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:32.924{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:32.924{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:32.924{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:32.924{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:32.924{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:32.924{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:32.924{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:32.924{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:32.924{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:32.924{72106695-ED07-63D0-0500-00000000BB02}408424C:\Windows\system32\csrss.exe{72106695-FEEC-63D0-A102-00000000BB02}2140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:32.924{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FEEC-63D0-A102-00000000BB02}2140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:32.925{72106695-FEEC-63D0-A102-00000000BB02}2140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000037506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:32.908{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95EA71CA9A013845867D699B2B19E851,SHA256=35263428C7F6D106F6B227688A318BD123FB39D5A57BEC2F5950D8EB0D5AFA64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:32.660{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81F87AB7A8DEBA66A9767C23F0642813,SHA256=193B97C1C5608CFBFD2090958058AE206289884A840CEC8324920513248260C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:33.678{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=422F60A6CCBFA3399DC113487EBB3DDF,SHA256=6F22E50CC7D9B2740E1FF26FC0C2F587BD6D47849EB37BC9F4F8C0FFBAB9F34D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:34.729{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F265C512EC8AA827EC457A174C3B9906,SHA256=355E3AED378486D797972D167FC20FFC120C06569FC1BAFFBF67B205C801A13F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:34.011{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2862CE3A926B059CACE7479AD7F8AEF4,SHA256=8D3F5B6B9C1AE93756470044656EB3E634830F104A507A6BCD19FDE76DE2D4AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:34.011{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81CA6FDC7FE1DE15E8F64E4C452C11E0,SHA256=9D6F4C3C296CD5560BA2C2E583C19FA437FBDBCE2695D3EFF6FD22C7E1015C9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:35.766{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A585CF626332C31D22D8D1D969FDB562,SHA256=55F04130F1AF49C30A58A5643D02861CC5EC8ADBD35E2C2A018ADB91DCB03AFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:35.093{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=184788A002E821CE68DF3046AFCBB06E,SHA256=3F60EB704D230BBC67008371F51756441E6BD3973E686677FB2471BE9F76354E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:36.798{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7F783F159CB49D79D66640290F45D02,SHA256=ECA2B0ABB09FB0A0C4066EABEB18AE68D57CB22799046A8E44908F2A670D24F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:36.161{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F78CB2BB9CD86BCCC4D4D9FCAED60AEE,SHA256=C8678C650C5222BC7D2BBDDFA88A71A15889E2F38CA8448E979E15E0E8F92B08,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:33.017{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50611-false10.0.1.12-8000- 23542300x800000000000000081738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:37.869{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B59F5A7FC715F9907437FE655CF4B94,SHA256=A1FC64907A3002F9DEC4C0E98F9A2FD2639F34C2183409EF9819266C152469BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:37.247{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6513DE452129C581B42D57B7426EDB4C,SHA256=36A9124E573F2B1D8BD4733EEA92DF8E588D7ED6C91772BC40CAC5DFCC8ABA66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:37.167{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A0FA1968CA4147851EC9A1D27FDE247,SHA256=37D450731D2301EE1F353B94B8CF742BA7968AF9C17E430062746A8D6D4F2FD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:38.886{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A80CD295B14F117EEA02796B79C70CF,SHA256=D3E05B4BAC374479B439787BDAF129863C993C5CFB34D382D1970221E2772847,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:35.713{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49564-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000037526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:38.348{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFACAB9A365F41C9555B3E7C81EF5570,SHA256=EDB200A0E7F9E521C0C90305DE1346DEB19AC08D6E1DD43D293FCD6F83A17460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:39.919{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A704670A23119CDD440626B5E65AADC,SHA256=71DDF4EF3171EF280A87987635BD69D5C3C4AE4F787162FAFB39BF4E8EA8F27C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:39.448{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56FDFDD0C596A210AD76CDD9F012AD19,SHA256=648FB5238D82F65E516E4C04DC0155C4B5F7AF7B9504CF35273D402FA1BAF1C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:40.997{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1200-00000000BA02}408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 23542300x800000000000000081750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:40.994{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60D3CA35F21EA07D635C3C2B9C1B59C2,SHA256=292874A8C8D29B8EC6DF54DA4943EA53B04BBF1AD19379AECDFA1FAF11E13FB1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:40.981{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1100-00000000BA02}704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:40.951{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1000-00000000BA02}444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:40.938{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0F00-00000000BA02}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:40.929{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0E00-00000000BA02}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000037541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:40.989{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1600-00000000BB02}1192C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000037540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:40.959{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1500-00000000BB02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000037539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:40.952{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1400-00000000BB02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000037538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:40.939{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1300-00000000BB02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000037537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:40.931{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1200-00000000BB02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000037536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:40.924{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1100-00000000BB02}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000037535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:40.919{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1000-00000000BB02}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000037534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:40.914{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0F00-00000000BB02}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000037533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:40.906{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0E00-00000000BB02}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000037532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:40.900{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0D00-00000000BB02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000037531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:40.895{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000037530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:40.888{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0B00-00000000BB02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000037529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:40.886{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0900-00000000BB02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 23542300x800000000000000037528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:40.537{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D0B0E4009A762A5CA624F98D58BA5F6,SHA256=6D305349960C9B9D0FDBA4CA3B598EA503B465D58D45CD620F18F1E1B441FCA2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:40.914{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0D00-00000000BA02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:40.889{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0C00-00000000BA02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:40.816{45AAC21C-ED5C-63D0-A400-00000000BA02}53205468C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838F10) 10341000x800000000000000081742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:40.811{45AAC21C-ED5C-63D0-A400-00000000BA02}53205468C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0900-00000000BA02}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838F10) 23542300x800000000000000037559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:41.810{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD1E6B552AA19B82991A1E7EC2E7C35B,SHA256=61F7CE74DF4E5D6217B6C683CEC97027F722E73DD9207B0FF31A8B7F044ACA02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:41.543{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2E00-00000000BA02}2692C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:41.539{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:41.535{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2B00-00000000BA02}2664C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:41.100{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:41.094{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:41.084{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:41.074{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2700-00000000BA02}2576C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:41.073{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2600-00000000BA02}2568C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:41.063{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2500-00000000BA02}2484C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:41.058{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED14-63D0-2300-00000000BA02}2340C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:41.054{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1800-00000000BA02}1992C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:41.048{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1700-00000000BA02}1492C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:41.040{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1600-00000000BA02}1324C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:41.025{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1500-00000000BA02}1152C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:41.019{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1400-00000000BA02}344C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:41.012{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1300-00000000BA02}364C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 354300x800000000000000037558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:38.141{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50612-false10.0.1.12-8000- 10341000x800000000000000037557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:41.054{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FB5F-63D0-3102-00000000BB02}3068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000037556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:41.051{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED83-63D0-8200-00000000BB02}508C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000037555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:41.049{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED1B-63D0-6D00-00000000BB02}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000037554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:41.047{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000037553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:41.046{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-4000-00000000BB02}1980C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000037552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:41.044{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-3C00-00000000BB02}2964C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000037551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:41.042{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2B00-00000000BB02}2876C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000037550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:41.041{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2600-00000000BB02}2596C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000037549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:41.039{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2500-00000000BB02}2436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000037548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:41.036{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2200-00000000BB02}1172C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000037547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:41.032{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000037546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:41.023{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000037545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:41.021{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1C00-00000000BB02}1892C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000037544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:41.019{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1A00-00000000BB02}1856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000037543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:41.012{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1800-00000000BB02}1732C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000037542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:41.008{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1700-00000000BB02}1240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 23542300x800000000000000037560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:42.839{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4455B85D33257BECF240ECB44E339A4D,SHA256=C2D90F2E86AC137FB5F0A07ED071D12D670EDE1BA06D4BDD1DD3BCF360C68DF4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:42.995{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FEF6-63D0-EB03-00000000BA02}7744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000081781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:42.995{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FEF6-63D0-EB03-00000000BA02}7744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000081780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:42.995{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FEF6-63D0-EB03-00000000BA02}7744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000081779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:42.777{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FEF6-63D0-EB03-00000000BA02}7744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:42.777{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:42.777{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:42.777{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:42.777{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:42.777{45AAC21C-ED08-63D0-0500-00000000BA02}420536C:\Windows\system32\csrss.exe{45AAC21C-FEF6-63D0-EB03-00000000BA02}7744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000081773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:42.777{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FEF6-63D0-EB03-00000000BA02}7744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000081772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:42.777{45AAC21C-FEF6-63D0-EB03-00000000BA02}7744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000081771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:40.769{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49565-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000081770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:42.476{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:42.476{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000081768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:42.025{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C2A75193998614F6065F86AD45ABE3B,SHA256=ADBBDE58A9B19EE4FC7FF258EF9B33C2DB75B3A44424B94231B0F9C0F21C72A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:43.920{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DFB94FDD577C50644571B6C48F45F38,SHA256=02224B3ED8426B0E80D0A88F7FEA953137F45E4CA8E2F8CEA290D445CD325D27,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:43.963{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FEF7-63D0-ED03-00000000BA02}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:43.961{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:43.961{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:43.960{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:43.960{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:43.960{45AAC21C-ED08-63D0-0500-00000000BA02}420536C:\Windows\system32\csrss.exe{45AAC21C-F3A8-63D0-3302-00000000BA02}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000081799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:43.960{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-F3A8-63D0-3302-00000000BA02}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000081798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:43.959{45AAC21C-FEF7-63D0-ED03-00000000BA02}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:43.860{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66AF130F3482FF6E39ECFE3E8147C056,SHA256=DC787128D69A698E7AB809C7082E1DCF067B2943A4A581D04475F5059B9B973B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:43.604{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED5C-63D0-A400-00000000BA02}5320C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:43.581{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3300-00000000BA02}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:43.580{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3100-00000000BA02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:43.577{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2F00-00000000BA02}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:43.477{45AAC21C-FEF7-63D0-EC03-00000000BA02}73723652C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:43.277{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FEF7-63D0-EC03-00000000BA02}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:43.277{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:43.277{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:43.277{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:43.277{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:43.277{45AAC21C-ED08-63D0-0500-00000000BA02}420780C:\Windows\system32\csrss.exe{45AAC21C-FEF7-63D0-EC03-00000000BA02}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000081785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:43.277{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FEF7-63D0-EC03-00000000BA02}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000081784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:43.278{45AAC21C-FEF7-63D0-EC03-00000000BA02}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:43.086{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=667CB009E88430F83D6A65F827F64407,SHA256=B7B9154CE8926F9E6E2E2C802F2C898EEA774195C3883E211D996674F11A7A7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:44.396{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8B8ED3CD35CAEC9B1D81F57A526C5F3,SHA256=FF70CA8746CF9B4397DC4AF9FEA6EB008B0BD6C1A7519A918DE7C35674387DEF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:44.265{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:44.263{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE59-63D0-D803-00000000BA02}8160C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 23542300x800000000000000081842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:44.261{45AAC21C-ED18-63D0-2C00-00000000BA02}2672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=15E72F0577C36D1098A9318B0461A21A,SHA256=7F19A2A24669C4BA2D95B0F7C273EAC615151C784A2D67BD368D38117E580D78,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:44.260{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE39-63D0-D003-00000000BA02}4868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:44.257{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE36-63D0-CF03-00000000BA02}6108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:44.251{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE36-63D0-CE03-00000000BA02}3640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:44.249{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99E-63D0-4403-00000000BA02}4716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:44.246{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4303-00000000BA02}220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:44.244{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F993-63D0-3A03-00000000BA02}5848C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:44.241{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3403-00000000BA02}8152C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:44.238{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3303-00000000BA02}5868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:44.236{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3203-00000000BA02}1380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:44.229{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3103-00000000BA02}7700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:44.212{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:44.198{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:44.197{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A202-00000000BA02}5720C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:44.195{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A102-00000000BA02}7492C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:44.191{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F3FF-63D0-5202-00000000BA02}7716C:\Program Files\Process Hacker 2\ProcessHacker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:44.189{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED93-63D0-C200-00000000BA02}5684C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:44.168{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:44.154{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:44.123{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:44.116{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-8E00-00000000BA02}432C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:44.105{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4D-63D0-8900-00000000BA02}4888C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:44.100{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED36-63D0-8100-00000000BA02}4176C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:44.099{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED35-63D0-7F00-00000000BA02}3432C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:44.096{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED2C-63D0-7B00-00000000BA02}532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:44.092{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:44.091{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1B-63D0-4500-00000000BA02}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:44.088{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-4100-00000000BA02}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:44.087{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-3800-00000000BA02}3276C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:44.079{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FEF7-63D0-ED03-00000000BA02}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000081812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:44.079{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FEF7-63D0-ED03-00000000BA02}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000081811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:44.079{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FEF7-63D0-ED03-00000000BA02}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000081810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:44.071{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FEF7-63D0-ED03-00000000BA02}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:44.070{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FEF7-63D0-ED03-00000000BA02}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:44.070{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FEF7-63D0-ED03-00000000BA02}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:44.070{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FEF7-63D0-ED03-00000000BA02}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000081806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:44.066{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=618E06385ADA99243C18187295C99BCF,SHA256=63E90DFFC4CFF98D83EBCB53659AC169F7BF906D7862F9009B6F937EF8D6826F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:43.750{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local49566-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x800000000000000081847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:43.750{45AAC21C-ED18-63D0-2700-00000000BA02}2576C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local49566-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 23542300x800000000000000081846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:45.483{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A3C738C7C67759818DA50611827C379,SHA256=3A7D8B125D84F08FA1F7577BAED6F07164EA39349376DE7A55C418C9782D2403,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:45.002{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9D1880DFE748CB5A854056189DF5458,SHA256=881B1CB8A5AD12EDC1E44A07B2402D70B7F5DB18F027A79D799C208BCD81EE63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:46.531{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37E6172D24856566F84117C30034531C,SHA256=C1CD4CCA83E9E60A99AE60A26DCE9AFE9AB21346356F9DB3B05F6553A35B0030,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:46.531{45AAC21C-FEFA-63D0-EE03-00000000BA02}39364516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000037564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:44.008{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50613-false10.0.1.12-8000- 23542300x800000000000000037563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:46.090{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBFD9041CA91C8123C081B7ADE1E1FBA,SHA256=812177F5BF7D3284A9F5F7CB1F7E458F133DFCFE2C1A7A4E93D78C0242E717BC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:46.266{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FEFA-63D0-EE03-00000000BA02}3936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:46.264{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:46.264{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:46.264{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:46.263{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:46.263{45AAC21C-ED08-63D0-0500-00000000BA02}420780C:\Windows\system32\csrss.exe{45AAC21C-FEFA-63D0-EE03-00000000BA02}3936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000081850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:46.263{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FEFA-63D0-EE03-00000000BA02}3936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000081849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:46.263{45AAC21C-FEFA-63D0-EE03-00000000BA02}3936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000081879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:47.921{45AAC21C-FEFB-63D0-F003-00000000BA02}46206664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000081878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:45.878{45AAC21C-ED0A-63D0-0D00-00000000BA02}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49567-false10.0.1.14win-dc-ctus-attack-range-460.attackrange.local135epmap 354300x800000000000000081877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:45.878{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49567-false10.0.1.14win-dc-ctus-attack-range-460.attackrange.local135epmap 10341000x800000000000000081876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:47.687{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FEFB-63D0-F003-00000000BA02}4620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:47.687{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:47.687{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:47.687{45AAC21C-ED08-63D0-0500-00000000BA02}420536C:\Windows\system32\csrss.exe{45AAC21C-FEFB-63D0-F003-00000000BA02}4620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000081872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:47.687{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:47.687{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:47.687{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FEFB-63D0-F003-00000000BA02}4620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000081869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:47.687{45AAC21C-FEFB-63D0-F003-00000000BA02}4620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:47.619{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85019B45FA4637E3D7AD26E6A0DE4876,SHA256=5407695E31306CEC50D8BF673972ADD17AFAEA4D6B111287555251E5042AE6E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:47.174{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=680208EC321A836C2714F2D98964681A,SHA256=3ADD7EB88F196695E44E5E2844BEAE539FD23B44BE2C2C5A980C5A2EB6E44F24,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:47.404{45AAC21C-FEFB-63D0-EF03-00000000BA02}76687444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:47.186{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FEFB-63D0-EF03-00000000BA02}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:47.186{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:47.186{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:47.186{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:47.186{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:47.186{45AAC21C-ED08-63D0-0500-00000000BA02}420788C:\Windows\system32\csrss.exe{45AAC21C-FEFB-63D0-EF03-00000000BA02}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000081860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:47.186{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FEFB-63D0-EF03-00000000BA02}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000081859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:47.187{45AAC21C-FEFB-63D0-EF03-00000000BA02}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:48.890{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE0B2A4B14BF14D203B5EEA16EC41399,SHA256=05CF24AF09C60E635FE5824FBB55AFE421A489E2E1DCE0850A70EAFC10B65CDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:48.890{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89B15E72991D305B8E834BC10160D016,SHA256=40582CF2FFDCAACCA060F16C32F68927179D4BA9D04E7EB2876DC3886C16B3A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:46.791{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local54007- 354300x800000000000000081927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:46.790{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local51881- 354300x800000000000000081926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:46.789{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53615- 354300x800000000000000081925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:46.786{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local56835- 354300x800000000000000081924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:46.784{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local55246- 354300x800000000000000081923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:46.783{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local65206- 354300x800000000000000081922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:46.778{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52271- 354300x800000000000000081921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:46.778{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local56256- 354300x800000000000000081920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:46.776{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52456- 354300x800000000000000081919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:46.775{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local52114- 23542300x800000000000000037566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:48.277{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DBDF1196F2E6099352ED3E3F5EE8DA5,SHA256=2784C6271B72FE2B16DCE0B7A86A3A1EAC34E51283A2E427C98E3B02D48E0C0E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:46.774{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52555- 354300x800000000000000081917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:46.772{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local54897- 354300x800000000000000081916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:46.771{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53018- 354300x800000000000000081915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:46.770{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local64249- 354300x800000000000000081914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:46.767{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53260- 354300x800000000000000081913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:46.766{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local63981- 354300x800000000000000081912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:46.765{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49675- 354300x800000000000000081911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:46.764{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local51489- 354300x800000000000000081910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:46.763{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52770- 354300x800000000000000081909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:46.761{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52165- 354300x800000000000000081908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:46.761{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local64688- 354300x800000000000000081907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:46.759{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52538- 354300x800000000000000081906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:46.758{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53380- 354300x800000000000000081905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:46.757{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53086- 354300x800000000000000081904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:46.754{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local55806- 354300x800000000000000081903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:46.753{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local55544- 354300x800000000000000081902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:46.751{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local51758- 354300x800000000000000081901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:46.750{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local55178- 354300x800000000000000081900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:46.749{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local50656- 354300x800000000000000081899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:46.747{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local64236- 354300x800000000000000081898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:46.746{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local54014- 354300x800000000000000081897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:46.744{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local57025- 354300x800000000000000081896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:46.741{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local50720- 354300x800000000000000081895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:46.740{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local63068- 354300x800000000000000081894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:46.739{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local55953- 354300x800000000000000081893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:46.738{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local50367- 354300x800000000000000081892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:46.737{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local62529- 354300x800000000000000081891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:46.736{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local49356- 354300x800000000000000081890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:46.734{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local62240- 354300x800000000000000081889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:46.731{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52386- 354300x800000000000000081888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:46.730{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local56061- 354300x800000000000000081887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:46.726{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local51977- 354300x800000000000000081886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:46.724{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local64135- 354300x800000000000000081885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:46.720{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local50003- 354300x800000000000000081884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:46.719{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local50003-false10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domain 354300x800000000000000081883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:46.719{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local62240-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domain 354300x800000000000000081882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:46.704{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49569-false10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49666- 354300x800000000000000081881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:46.704{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49569-false10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49666- 354300x800000000000000081880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:46.682{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49568-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000081941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:49.974{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B53193C1C6690A874B32DD18B4B14FB0,SHA256=A96227422348C8C6EFD083D1090A2AE7C93B0901E626A36D076E7FB1E898C97E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:49.922{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FEFD-63D0-F103-00000000BA02}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:49.922{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:49.922{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:49.922{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:49.922{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:49.922{45AAC21C-ED08-63D0-0500-00000000BA02}420436C:\Windows\system32\csrss.exe{45AAC21C-FEFD-63D0-F103-00000000BA02}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000081934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:49.922{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FEFD-63D0-F103-00000000BA02}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000081933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:49.923{45AAC21C-FEFD-63D0-F103-00000000BA02}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000081932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:46.793{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local63935- 354300x800000000000000081931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:46.792{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local62516- 23542300x800000000000000037567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:49.372{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44F3A0A689E27D26947EA45D1BE597FB,SHA256=1B441C0E799A2E506745C2AB2EE65ADE18FD39E43E3F69E6FCF4067E4DA2031B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:50.447{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09FB5515639AB0BA4830EB6678577C44,SHA256=FCAE0561A59F566EED3453D3B5EAEE277F81D586A5B3AFAFE597E09732BA1950,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:50.107{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FEFD-63D0-F103-00000000BA02}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000081950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:50.107{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FEFD-63D0-F103-00000000BA02}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000081949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:50.107{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FEFD-63D0-F103-00000000BA02}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000081948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:50.106{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FEFD-63D0-F103-00000000BA02}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000081947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:50.105{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FEFD-63D0-F103-00000000BA02}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000081946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:50.105{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FEFD-63D0-F103-00000000BA02}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000081945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:50.075{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FEFD-63D0-F103-00000000BA02}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:50.074{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FEFD-63D0-F103-00000000BA02}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:50.074{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FEFD-63D0-F103-00000000BA02}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:50.073{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FEFD-63D0-F103-00000000BA02}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000037570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:51.543{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F11419467E72CA6C1CBD4807A4124505,SHA256=699694EFDF8642F245EF378F03AE3C071845B90D302F8A4A7E46459594A8619A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:49.093{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50614-false10.0.1.12-8000- 23542300x800000000000000081952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:51.023{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E53D5127F2C244B37920D8E57783429,SHA256=B8F4B917250B64E203CD7DAB2DB901E6C79095AAF59442B77209E9C3D241E5A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:52.632{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11DE58BA23343A1DF2D20FBCD33F2EC6,SHA256=FD3DC99AB297F244FE518720B6D8782B08F76AA76980E55719CC6324353D555C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:52.691{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:52.691{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000081953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:52.041{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D02FC57C412B3EBAC75DA7716FCF0C23,SHA256=C3E69343F738C0A43062ADE8768EAD52ED64EC8BCF89030CFF7941FC9C14CEF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:53.723{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9DBC301229E18A75C87E95B92F4C191,SHA256=2D3D31CF273E83F743FDAB946715DA9368DBBCA24569B0168C8274ED6BD878B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:53.093{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA20AE8269A1C4C4380B9628127C4213,SHA256=71C54925FAA10C952EBEF083EF729E5C6E5EFC22942ADCAD2D377589FE793076,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:54.798{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4E5D428611812995D8377CEC22F4EB1,SHA256=95CFDD29E93D55C53DD7A2CB28697C42E041462B97FBCB24398618F9251657D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:54.168{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57A0E7F6623481348662B8D5072D214A,SHA256=FAA5AB96812E62867D6768B3FA49A3A6C3394B72247B7F01D14BC7552E91468A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:51.739{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49570-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000037574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:55.896{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06AF067D569838C773123EEA637CE437,SHA256=B99AFF6CFDF4DD9845864D8DB19CFAE4FDA6DDB5D0D13DC2A03AB6416669C0A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:55.291{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BDBB81B098012F95A50188FD4D34C56,SHA256=096293A2DF26C7ED7978E5889B1678AEEFA86B294A4360108FD7F05D0AF192D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:56.985{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43DA29250D35484C654FD184DF0FD17E,SHA256=D48446C6043A552169E962B5B9AF4A93B76EEB6A9B810D4CF6BF48D39B8A84DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:56.694{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ilosieif.default-release\datareporting\glean\db\data.safe.binMD5=0041E77CA5AD5023004162FBF66FE464,SHA256=B29FE4B24D35E97DCF1B52FED40F4F1F16EB636D98BEE91E0989AAB04AF2C697,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:56.410{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A23F61AE9E8FFF3380E16B322C4908D,SHA256=59C571C238B1C8264483A1B1E612D5C7475DB0D3F73B4538151B64611C6A6E9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:57.529{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AB9C19D59C6A69A20217CCB41FE702C,SHA256=40DD7760206AEA2534DB03869017B0B1782BE3090436B781E76F3E56F02D4906,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:54.948{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50615-false10.0.1.12-8000- 354300x800000000000000081964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:56.860{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49571-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000081963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:58.613{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6654CFE80AC896466D56877EC01A8E3,SHA256=BDC41636245EEB3B7263B005895B74A70C818094690D81FF8616716AC0B8DFB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:58.289{72106695-ED09-63D0-2000-00000000BB02}2008NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=3D0B9B5F2AF642666ACF2AD0373EF88F,SHA256=B328AA6C0080D66F784CF4DB5EF8B908ECE0E798ED3FCE68C08F40DAFA79E901,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:58.068{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0E5FA5F2C486DDAA004CD78FFDD3639,SHA256=5E32206B5954A3A7C8D94289D09E29150AFCB94EEA92C6F596C4B10DFD955662,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:05:59.631{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73AE4A67993704C9D6695196AB7F0868,SHA256=6A72AD2E5D9814F5D71C63B93B71EF5E8C5FE93040DC7636EF5A264554083EB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:05:59.171{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F68444585D0DB22A3A325295E2B7F8C7,SHA256=B2A7850442A7E39EC4C1DC184424761EC4740FD1FE7B9099F3E800A99D47305B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:00.997{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1200-00000000BA02}408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:00.982{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1100-00000000BA02}704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:00.937{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1000-00000000BA02}444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:00.918{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0F00-00000000BA02}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:00.909{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0E00-00000000BA02}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:00.896{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0D00-00000000BA02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:00.885{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0C00-00000000BA02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:00.814{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:00.811{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0900-00000000BA02}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 23542300x800000000000000081976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:00.748{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55BAAD364FFC95EC1089107A89C1C91F,SHA256=DBEBF802123BF239158C51A6AC2359CFDFD90A2668B9F9497FD748AF85EDCC2D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:00.983{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1500-00000000BB02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000037591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:00.973{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1400-00000000BB02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000037590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:00.967{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1300-00000000BB02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000037589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:00.956{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1200-00000000BB02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000037588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:00.943{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1100-00000000BB02}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000037587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:00.937{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1000-00000000BB02}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000037586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:00.923{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0F00-00000000BB02}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000037585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:00.913{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0E00-00000000BB02}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000037584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:00.902{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0D00-00000000BB02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000037583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:00.892{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000037582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:00.883{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0B00-00000000BB02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000037581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:00.880{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0900-00000000BB02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 23542300x800000000000000037580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:00.258{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18A819D5BE03C77E4C7F24FB4D6F554D,SHA256=624320057F40528689C49BDB5005604989DE69BA9BFCF2988199CE0D7CF291CA,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000081975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-25 10:06:00.478{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000081974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-25 10:06:00.478{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00465b1b) 13241300x800000000000000081973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-25 10:06:00.478{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d9309c-0x3e0c7921) 13241300x800000000000000081972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-25 10:06:00.478{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d930a4-0x9fd0e121) 13241300x800000000000000081971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-25 10:06:00.478{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d930ad-0x01954921) 13241300x800000000000000081970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-25 10:06:00.478{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000081969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-25 10:06:00.478{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00465b1b) 13241300x800000000000000081968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-25 10:06:00.478{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d9309c-0x3e0c7921) 13241300x800000000000000081967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-25 10:06:00.478{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d930a4-0x9fd0e121) 13241300x800000000000000081966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-SetValue2023-01-25 10:06:00.478{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d930ad-0x01954921) 23542300x800000000000000082002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:01.785{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5325ABEAD64CABD544270AD5530947ED,SHA256=380EF9FD98076B386B1DD5510FCF37D99E1745D2DC6E30C51B332506DE76D299,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:01.476{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AED7617283BBB69CA3F00A176512F26,SHA256=D1132FDF150B5B7CB991D32523FA18E941E6CABBA16558850BB7621167B09555,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:01.739{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2E00-00000000BA02}2692C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000082000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:01.734{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:01.729{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2B00-00000000BA02}2664C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:01.158{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:01.151{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:01.141{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:01.115{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2700-00000000BA02}2576C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:01.110{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2600-00000000BA02}2568C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:01.098{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2500-00000000BA02}2484C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:01.086{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED14-63D0-2300-00000000BA02}2340C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:01.081{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1800-00000000BA02}1992C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:01.076{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1700-00000000BA02}1492C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:01.067{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1600-00000000BA02}1324C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:01.044{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1500-00000000BA02}1152C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:01.033{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1400-00000000BA02}344C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000081986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:01.017{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1300-00000000BA02}364C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000037609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:01.157{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FB5F-63D0-3102-00000000BB02}3068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000037608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:01.154{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED83-63D0-8200-00000000BB02}508C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000037607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:01.147{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED1B-63D0-6D00-00000000BB02}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000037606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:01.138{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000037605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:01.135{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-4000-00000000BB02}1980C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000037604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:01.128{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-3C00-00000000BB02}2964C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000037603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:01.126{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2B00-00000000BB02}2876C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000037602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:01.124{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2600-00000000BB02}2596C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000037601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:01.121{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2500-00000000BB02}2436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000037600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:01.118{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2200-00000000BB02}1172C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000037599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:01.112{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000037598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:01.088{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000037597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:01.085{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1C00-00000000BB02}1892C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000037596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:01.080{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1A00-00000000BB02}1856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000037595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:01.058{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1800-00000000BB02}1732C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000037594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:01.046{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1700-00000000BB02}1240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000037593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:01.016{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1600-00000000BB02}1192C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 23542300x800000000000000082003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:02.916{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B26BA4FD164ABC170723753FAD9BC10,SHA256=87BBAECBCF4E9170E98F29F9A350D4E28B99FB49A21D715566F56B926DC9F262,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:00.049{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50616-false10.0.1.12-8000- 23542300x800000000000000037611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:02.548{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F042AABD80A7216EB9BCD02F3D03CE22,SHA256=78FB7F9AE6E8B7A27DB8F51F733E2D431019FF199573D64052841ACAACDE3C4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:03.983{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3BDAE3FB858F41C21B286E0AA38BAE9,SHA256=D27F70D9F74998741D33DAC274AF23599ABA938E82390CF1EFBAB671F810FF68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:03.643{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9DCC3951C2B194681A639681655291F,SHA256=C738E1F7BDF4363786CE4BAE76275A8B368525DA3926C2908C3C22466AB8DA06,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:03.772{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3300-00000000BA02}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000082005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:03.770{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3100-00000000BA02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000082004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:03.767{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2F00-00000000BA02}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 23542300x800000000000000037614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:04.737{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C662A208BE8C5EFC91932679AF0D0E6F,SHA256=6B6985B3A504E03A9EDE250498B623BD8074306ED07A1A6173B654D2132413AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:04.715{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000082036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:04.706{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE59-63D0-D803-00000000BA02}8160C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000082035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:04.698{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE39-63D0-D003-00000000BA02}4868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000082034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:04.693{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE36-63D0-CF03-00000000BA02}6108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000082033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:04.687{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE36-63D0-CE03-00000000BA02}3640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000082032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:04.683{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99E-63D0-4403-00000000BA02}4716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000082031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:04.675{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4303-00000000BA02}220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000082030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:04.672{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F993-63D0-3A03-00000000BA02}5848C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000082029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:04.665{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3403-00000000BA02}8152C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000082028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:04.661{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3303-00000000BA02}5868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000082027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:04.648{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3203-00000000BA02}1380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000082026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:04.626{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3103-00000000BA02}7700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000082025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:04.568{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000082024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:04.551{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000082023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:04.549{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A202-00000000BA02}5720C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000082022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:04.545{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A102-00000000BA02}7492C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000082021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:04.537{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F3FF-63D0-5202-00000000BA02}7716C:\Program Files\Process Hacker 2\ProcessHacker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000082020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:04.529{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED93-63D0-C200-00000000BA02}5684C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000082019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:04.483{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000082018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:04.442{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000082017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:04.353{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000082016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:04.338{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-8E00-00000000BA02}432C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000082015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:04.317{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4D-63D0-8900-00000000BA02}4888C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000082014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:04.307{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED36-63D0-8100-00000000BA02}4176C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000082013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:04.304{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED35-63D0-7F00-00000000BA02}3432C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000082012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:04.299{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED2C-63D0-7B00-00000000BA02}532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000082011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:04.293{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000082010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:04.290{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1B-63D0-4500-00000000BA02}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000082009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:04.286{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-4100-00000000BA02}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 10341000x800000000000000082008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:04.284{45AAC21C-ED5C-63D0-A400-00000000BA02}53205772C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-3800-00000000BA02}3276C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80610) 23542300x800000000000000037615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:05.818{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAE173354F5AB4DB8AF5E2802E20A94F,SHA256=8FCDC3E36DA5046A7EF5F2B6D3FD7163B5FFFF3F9FD14EBE7BB59577C19C9405,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:05.288{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7540D88482451062DDA30FC06C2CB1E1,SHA256=AA5E0EA0079D40E3CB35A2896784F8239F0FFDCD4F3A0D6A45CDD90F427F96C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:02.745{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49572-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000037616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:06.918{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F3149714CB80FBE0494455E2ED52AE3,SHA256=08F9078BBBC1E431D48F9B6D0F3BDB88543D867D758321740A942254F9D6B92F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:06.140{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03E084AC2F4579C78C7EDD3D7566AA34,SHA256=4FC77FA8C03E7793E5DE1EEA9996973FEC5E04024EE47768BE7D170AE097F40C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:07.241{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF57F394386AC92828C0877430C50202,SHA256=798236CAB27C5592B1855769FCDACB8E55BEA36C712D4ABC3744CD49982185B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:08.357{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0458C637C05247D61184D0C4487C2DF2,SHA256=D52A3B011C3746C3DA63EEB011D5231FD6054665CD173908A17944A75EAFF454,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:05.061{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50617-false10.0.1.12-8000- 23542300x800000000000000037617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:08.000{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88D1F5EF7CCD0566E67C7B962E96051D,SHA256=6139B58B85539E9A6370A6F98E7D365426E8AAA1495B0017A23AA1214DA51344,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:09.374{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=745239B2D93C33C97B8345D4BBC89F5C,SHA256=8EFE8166344BE16A05DA53C317A70794B2132D50775A297AE42A8C9D76E660B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:09.647{72106695-ED09-63D0-1C00-00000000BB02}1892NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\respondent-20230125084915-074MD5=4A845FE96E1CB901D2D7264E475C5D0A,SHA256=805658FE4E43678F2368D193C16F752D5AE58460E17C63B3F32526AFB5DF27A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:09.097{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E63AB4A33D9B2976F02A20317C0B4C3A,SHA256=FFE01CF7966CED0C435EE5D569AD6936DB442680266E0489FBB4B6BEE1FF19D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:10.405{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D695D82517EB24BF8B3F4C16B69B58F,SHA256=F29A8E7756FBC6F51E1CB1C9E00E9A67361C83177CCFE01500E0AF29C34A932C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:10.650{72106695-ED09-63D0-1C00-00000000BB02}1892NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\surveyor-20230125084913-075MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:10.194{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6D025489FE9F1EE51ECCCA89E8FF7CD,SHA256=DEFAC10B00708E4660E5EE980B602F7E8A294B2CD7E2AB94E6FA48CE25A81AE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:10.259{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ilosieif.default-release\datareporting\glean\db\data.safe.binMD5=A8D9314F724703CF313221FE2B80AF73,SHA256=47567E471C1DBB78439540BF54DB2620AD291D8C47E5587CB222BBA0A86A8691,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:07.751{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49573-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000082047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:11.494{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E90077C9B1AF752D98F57719BAADBEAE,SHA256=0315C7063064500A0445431AC39E457CD0AADA1B8B30CBC51FF4D1BAD41E5970,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:11.287{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA94C3890BEE03C8F6F1AA6295C04154,SHA256=06A5909281D9A2A129D5D07EA3292318D5FACDEAF8856E621D5E7C12E3E551EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:12.579{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38BDD580414F3B06DA8F791C671ADFC2,SHA256=16FD0F4B7E4426E2CFAEB7126A9BDCB0A07ED2D0C553C47BF435ABBA3117F607,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:10.082{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50618-false10.0.1.12-8000- 23542300x800000000000000037624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:12.387{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69BDB0797E08EE85F9BA39C29B729679,SHA256=871A870775E342C0D23AA2F512BD5C23853DCFE5068841EEA65C6AA966C80C6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:13.663{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD83CC4CA2194EF4D71F819AF8A98765,SHA256=A488C06CC3FF91BB744BA6D4DDDD95992C954B4048F97E7E965012D49E598AFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:13.476{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF15A43685FB9F6FFB9CE13CAD4D75CC,SHA256=C9D260EAF6B88C868851EB08A0B8D6400A11E8F3C97477BC9E4CBBC180C8DD80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:14.780{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=942C11F127FD63A2196F1143F47B22CD,SHA256=7865AEE664651445511432990DD2E0B06135EE0DA5F4C32326DE5CC5608893ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:14.692{72106695-ED08-63D0-1100-00000000BB02}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=8C53BA91A897B9510C7767678C05FF2F,SHA256=F1E992B3548AA7BBF218249EE678791EEEFCD39D46E3F89EEA9CB424A227F736,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:14.567{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=238D070F59EB3338BCB836525D9FF2A7,SHA256=2D9F791C7BA59084E208F28C9E615B12836548DBC81BFE9FC2BFE7EE0172BB12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:14.427{45AAC21C-ED18-63D0-2C00-00000000BA02}2672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=62478795E5A505469D2278AD09ECCFE4,SHA256=2FB72F478E8E8D763BD82B873F28FE340A95F01537B1517C55AA8D910D1BE964,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:15.981{45AAC21C-ED0A-63D0-1100-00000000BA02}704NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=20F917A7386999911E370936BFE354D6,SHA256=0603DBE4FF5431CECF316F12E6E9B8547138ED1FF06FA2A2FBE02BC5B0016FF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:15.898{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5788F7121826B521449ABCC27447B200,SHA256=1A93A45C7A79FFDFE988BBB95DA980DEDA063EE4CD79961C0CF6CA1FF61E6909,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:15.664{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0644A12911E41ED98F3B387D4EC7B822,SHA256=5832F9A00EFAB1F15E33D362A9F400CC39244E8227B085AB2ECE475B36723505,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:12.761{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49574-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000037630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:16.765{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D84B48AD2A2A5758CC955A4CE560F278,SHA256=9634887B7669691A019F812B5E107C5F32B72EA88C0A7256D4B2F77B53886466,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:16.652{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ilosieif.default-release\datareporting\glean\db\data.safe.binMD5=52C1C1785048F6ABF3E8DF7C913CE3EE,SHA256=C1EC639CC0696996920FA3F0BBE5822A1286DB0EA3C64C8C094613AFBDFD14BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:17.853{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2114D52C00397CCCE4563B2BA449B4B6,SHA256=B492CBC83D5DD093AE0975BAF9E824B5A0B6D3B62F173C81D634CCE1A7B63AB0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:17.790{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED08-63D0-1300-00000000BB02}740C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:17.790{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED08-63D0-1300-00000000BB02}740C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:17.790{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED08-63D0-1300-00000000BB02}740C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000082056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:16.998{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7EE1DBAC714F9C51C5262E8806FC5D6,SHA256=099C3090EF8514418B56B71942F69F6042F18D4EF7C6E18766AA6A876D548F5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:18.847{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFA7EA0A2665D653B27156FA428AFA49,SHA256=D656A33A1ABD65016E27EB7163D27A3D90DE61041588CD39EE0849BFDFF6B197,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:18.616{45AAC21C-ED18-63D0-2C00-00000000BA02}2672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:18.114{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FCDD002FD682AF57C9933758C88EC7F,SHA256=AC9F487B07F8A71F242353CD77039BB3F0569CDFCAEC8DC2CCC0D65CDF9A3BF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:19.928{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAE49FBDDF99F710B676B0335A4ECD15,SHA256=8F8F098D61543C73083494655927359339D47AA20D137F63BA21998C142B3CA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:19.233{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5143B81FFA07146763F9994F38BEB54,SHA256=531CD9FB8D61BB48E39640A615CB052C201BA534A72AB597F99100C36AB1511E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:15.959{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50619-false10.0.1.12-8000- 10341000x800000000000000037655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:20.997{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000037654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:20.994{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1C00-00000000BB02}1892C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000037653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:20.993{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1A00-00000000BB02}1856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000037652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:20.987{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1800-00000000BB02}1732C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000037651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:20.985{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1700-00000000BB02}1240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000037650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:20.975{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1600-00000000BB02}1192C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000037649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:20.956{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1500-00000000BB02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000037648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:20.950{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1400-00000000BB02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000037647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:20.944{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1300-00000000BB02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000037646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:20.939{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1200-00000000BB02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000037645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:20.934{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1100-00000000BB02}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000037644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:20.929{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1000-00000000BB02}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000082070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:20.996{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1200-00000000BA02}408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000082069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:20.986{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1100-00000000BA02}704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000082068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:20.942{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1000-00000000BA02}444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000082067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:20.920{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0F00-00000000BA02}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000082066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:20.910{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0E00-00000000BA02}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000082065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:20.887{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0D00-00000000BA02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000082064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:20.877{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0C00-00000000BA02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000082063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:20.820{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000082062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:20.816{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0900-00000000BA02}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 23542300x800000000000000082061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:20.368{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3213D9532C43C77D771166D5E4D3F4B0,SHA256=BED13558506F15AA81F2FF280E5BB204AEB16A43EDFFCD2F5771F44AB6A95C1E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:18.247{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49575-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 10341000x800000000000000037643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:20.924{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0F00-00000000BB02}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000037642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:20.914{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0E00-00000000BB02}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000037641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:20.909{72106695-ED09-63D0-1F00-00000000BB02}20001912C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0D00-00000000BB02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000037640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:20.899{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000037639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:20.896{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0B00-00000000BB02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000037638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:20.894{72106695-ED09-63D0-1F00-00000000BB02}20002784C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0900-00000000BB02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x800000000000000037668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:21.983{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA06DF4FA0C04FAD0E3139781E89A17B,SHA256=3EDC8EE7C0CC1E11269EB81BC416441F84F858724F6C12E66CEAE2F0115B3A6F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:21.788{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2E00-00000000BA02}2692C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000082088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:21.784{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000082087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:21.779{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2B00-00000000BA02}2664C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 23542300x800000000000000082086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:21.664{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ilosieif.default-release\datareporting\glean\db\data.safe.binMD5=F0F3409A2B69A24FD3FBE860F5557B97,SHA256=8102ACFDCF24CDE14C9F9F34BBD4C7DA9469688409CF3FADEA83FC044562DB99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:21.317{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D89800F4F89B38E83841523B1D22D31D,SHA256=19FE77ACA48ABF23415ED355D03BA678C48F1E98665DC848DAB40784BEE94072,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:21.023{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FB5F-63D0-3102-00000000BB02}3068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000037666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:21.020{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED83-63D0-8200-00000000BB02}508C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000037665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:21.019{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED1B-63D0-6D00-00000000BB02}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000037664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:21.017{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000037663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:21.016{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-4000-00000000BB02}1980C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000037662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:21.014{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-3C00-00000000BB02}2964C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000037661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:21.014{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2B00-00000000BB02}2876C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000037660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:21.013{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2600-00000000BB02}2596C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000037659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:21.011{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2500-00000000BB02}2436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000037658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:21.008{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2200-00000000BB02}1172C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000037657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:21.005{72106695-ED09-63D0-1F00-00000000BB02}20002796C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 23542300x800000000000000037656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:21.004{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DC8C43605D48AB8F0BE236784519E04,SHA256=2B2E4CCB00D56F97743737FA307E0161D35F681ED07C9CBDDEDF8616357F4CD4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:21.111{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000082083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:21.100{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000082082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:21.087{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000082081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:21.075{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2700-00000000BA02}2576C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000082080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:21.066{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2600-00000000BA02}2568C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000082079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:21.059{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2500-00000000BA02}2484C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000082078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:21.053{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED14-63D0-2300-00000000BA02}2340C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000082077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:21.051{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1800-00000000BA02}1992C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 354300x800000000000000082076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:18.783{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49576-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000082075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:21.048{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1700-00000000BA02}1492C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000082074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:21.042{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1600-00000000BA02}1324C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000082073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:21.025{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1500-00000000BA02}1152C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000082072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:21.017{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1400-00000000BA02}344C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000082071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:21.008{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1300-00000000BA02}364C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 23542300x800000000000000082090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:22.386{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ECF6EAE4C8CB65BDBD76FAD4036840A,SHA256=082066579F192DF5F05E95A0EE9EAB58E20638A09F71E5E419FC4E9E466208F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:23.825{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3300-00000000BA02}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000082093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:23.824{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3100-00000000BA02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000082092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:23.821{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2F00-00000000BA02}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 23542300x800000000000000082091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:23.473{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C012B3848D1905612ADB94C7F7A894EF,SHA256=010AB53E7AC9AEF37F44FF8A50701B29AC2A5C99734D31E2807D67E36C36BE86,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:21.100{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50620-false10.0.1.12-8000- 10341000x800000000000000037670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:23.220{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1F00-00000000BB02}2000C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000037669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:23.069{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29C613A6BE8D0A6F2D2A95473AF41970,SHA256=C8669B14D41021E5B95FFAB2D9EE523AC8AEA02B304C06D091DDADACEF44B7F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:24.145{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79126367AB3805838876F683A3FAD074,SHA256=2E79D3ABEC9E4F2F50059FBC41CC5DC7D95851C57792E593D3FAC476BF14E6C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:24.654{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000082125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:24.651{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE59-63D0-D803-00000000BA02}8160C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000082124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:24.648{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE39-63D0-D003-00000000BA02}4868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000082123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:24.646{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE36-63D0-CF03-00000000BA02}6108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000082122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:24.640{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE36-63D0-CE03-00000000BA02}3640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000082121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:24.637{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99E-63D0-4403-00000000BA02}4716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000082120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:24.633{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4303-00000000BA02}220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000082119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:24.631{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F993-63D0-3A03-00000000BA02}5848C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000082118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:24.627{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3403-00000000BA02}8152C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000082117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:24.623{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3303-00000000BA02}5868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000082116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:24.620{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3203-00000000BA02}1380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000082115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:24.610{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3103-00000000BA02}7700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000082114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:24.573{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 23542300x800000000000000082113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:24.552{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=586AFD2DF80E60492596DDF269B7EDD5,SHA256=84A2AA5225712E28139E98F7A995B5F3DE95385DC32D6BF04A621C8666949668,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:24.537{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000082111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:24.535{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A202-00000000BA02}5720C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000082110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:24.531{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A102-00000000BA02}7492C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000082109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:24.524{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F3FF-63D0-5202-00000000BA02}7716C:\Program Files\Process Hacker 2\ProcessHacker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000082108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:24.519{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED93-63D0-C200-00000000BA02}5684C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000082107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:24.487{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000082106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:24.468{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000082105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:24.418{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 23542300x800000000000000082104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:24.406{45AAC21C-ED18-63D0-2F00-00000000BA02}2700NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\respondent-20230125084931-074MD5=FB1204BD5E1FCB9F00F3D30191CDD410,SHA256=AD3DE377B45C073DC7811942D8C17D2EDF88FCE93F4C4FD49345F5808DA79585,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:24.399{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-8E00-00000000BA02}432C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000082102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:24.380{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4D-63D0-8900-00000000BA02}4888C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000082101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:24.360{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED36-63D0-8100-00000000BA02}4176C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000082100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:24.352{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED35-63D0-7F00-00000000BA02}3432C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000082099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:24.349{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED2C-63D0-7B00-00000000BA02}532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000082098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:24.345{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000082097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:24.342{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1B-63D0-4500-00000000BA02}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000082096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:24.339{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-4100-00000000BA02}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 10341000x800000000000000082095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:24.338{45AAC21C-ED5C-63D0-A400-00000000BA02}53205736C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-3800-00000000BA02}3276C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D00850) 23542300x800000000000000037673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:25.226{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA6C7FC5D88DDDAC04B4CDC8737910FF,SHA256=52006BE3849DF21F48E463E4FD3E6FCECE805B05158EE760D23A2F12BEC1F90D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:25.560{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FB51B57B6559CDF6DE6A317B9AB69E3,SHA256=939645B366CD2C54D2D23C7968B032F287C664577387A0496926FEF8250A14BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:25.407{45AAC21C-ED18-63D0-2F00-00000000BA02}2700NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\surveyor-20230125084929-075MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:26.988{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FF22-63D0-A302-00000000BB02}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:26.988{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:26.988{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:26.988{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:26.988{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:26.988{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:26.988{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:26.988{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:26.988{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:26.988{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:26.988{72106695-ED07-63D0-0500-00000000BB02}4082644C:\Windows\system32\csrss.exe{72106695-FF22-63D0-A302-00000000BB02}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:26.988{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FF22-63D0-A302-00000000BB02}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:26.988{72106695-FF22-63D0-A302-00000000BB02}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000037692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:26.548{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=619EA33BF56E92812B1032BDA3A6ADC7,SHA256=3478B1D661FFD42E6E031E5B8656CE583F7F7D104812B80C2AE9831E311C2EE7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:26.439{72106695-ED09-63D0-1F00-00000000BB02}20002816C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FF22-63D0-A202-00000000BB02}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D383D0) 10341000x800000000000000037690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:26.439{72106695-ED09-63D0-1F00-00000000BB02}20002816C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FF22-63D0-A202-00000000BB02}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D383D0) 10341000x800000000000000037689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:26.439{72106695-ED09-63D0-1F00-00000000BB02}20002816C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FF22-63D0-A202-00000000BB02}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D383D0) 23542300x800000000000000037688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:26.400{72106695-ED09-63D0-2000-00000000BB02}2008NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:26.306{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FF22-63D0-A202-00000000BB02}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:26.306{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:26.306{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:26.306{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:26.306{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:26.306{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:26.306{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:26.306{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:26.306{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:26.306{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:26.306{72106695-ED07-63D0-0500-00000000BB02}4081028C:\Windows\system32\csrss.exe{72106695-FF22-63D0-A202-00000000BB02}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x800000000000000037676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:26.306{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25BFC8C02678DE576FB3C62BB0E780A8,SHA256=8FFB28EA8BE02EE3AEF7916590364C39998CB4E08C750BFD32A1EF384301B2EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:26.306{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FF22-63D0-A202-00000000BB02}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:26.307{72106695-FF22-63D0-A202-00000000BB02}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000082129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:26.641{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E46A9925E2564D5766987DD2C155A1B9,SHA256=AFFFEEF12EA7C72262B3FDEF33FD5890E3DF7236EBCB82B8352DA1F2917C277D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:27.677{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30992C9E131D73F4ECEA8EC37667C457,SHA256=FDCE4299F1F940C3E8C34E31533E7A303AA35DD7763DC45FE5625DDDD6CAD048,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:27.952{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31183B5E4523BB2B4B1CEB5559370105,SHA256=5A6CF232E18FC7D0E4273F8C4282F09954BDD73E86DC2AA13814D3F462D08605,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:27.890{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3865EF0DD6CAA30B8C1856C252399156,SHA256=B65A7769734CA0F9C8BBF782D9D8E90905E093B21E6E15AF4FF739FD0046819E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:27.842{72106695-FF23-63D0-A402-00000000BB02}4040600C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:27.655{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FF23-63D0-A402-00000000BB02}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:27.655{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:27.655{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:27.655{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:27.655{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:27.655{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:27.655{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:27.655{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:27.655{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:27.655{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:27.655{72106695-ED07-63D0-0500-00000000BB02}4081028C:\Windows\system32\csrss.exe{72106695-FF23-63D0-A402-00000000BB02}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:27.655{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FF23-63D0-A402-00000000BB02}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:27.656{72106695-FF23-63D0-A402-00000000BB02}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000082130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:24.690{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49577-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000082132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:28.777{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E4472E77151F5C232296E1362658869,SHA256=6018B86E0FB0BF473A59432775630737D10553D1D9A1073F63C55F056006244A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:28.728{72106695-FF24-63D0-A502-00000000BB02}1324664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000037737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:28.713{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=205ECAE9E6B4613B903D7196472ECA09,SHA256=135F5D88D85941AC816C2DABEA73104485D5E9319DD3D4C50AA0BFE1E49EB754,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:28.572{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FF24-63D0-A502-00000000BB02}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:28.572{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:28.572{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:28.572{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:28.572{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:28.572{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:28.572{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:28.572{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:28.572{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:28.572{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:28.572{72106695-ED07-63D0-0500-00000000BB02}408424C:\Windows\system32\csrss.exe{72106695-FF24-63D0-A502-00000000BB02}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:28.572{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FF24-63D0-A502-00000000BB02}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:28.573{72106695-FF24-63D0-A502-00000000BB02}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000037723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:25.281{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50621-false10.0.1.12-8089- 23542300x800000000000000037722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:28.470{72106695-ED09-63D0-2000-00000000BB02}2008NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=E31C4CCA670C7B3740AEF7E6E8FA6594,SHA256=ABDF58D1340D64A1FE8B8C4CEC2546146C0D21F8A80225A83FBD4D4598D269AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:29.977{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FF25-63D0-A602-00000000BB02}3696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:29.977{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:29.977{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:29.977{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:29.977{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:29.977{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:29.977{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:29.977{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:29.977{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:29.977{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:29.977{72106695-ED07-63D0-0500-00000000BB02}408524C:\Windows\system32\csrss.exe{72106695-FF25-63D0-A602-00000000BB02}3696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:29.977{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FF25-63D0-A602-00000000BB02}3696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:29.978{72106695-FF25-63D0-A602-00000000BB02}3696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000037740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:29.789{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6035C68E4F224C4ACABDDD9D70942498,SHA256=A4C55EA979C5255C4697069EDA05DCA97D62608C1DD9DF4AD1EA0AD759623B42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:29.894{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C76DC8CF6BDEF2A2CC083096A05E55D,SHA256=9B78B0BFFB4B787BE67963F9DE78AB1FA751727E58316313142CDB1DC42BE95B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:27.036{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50622-false10.0.1.12-8000- 10341000x800000000000000037768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:30.870{72106695-FF26-63D0-A702-00000000BB02}35563756C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000082137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:30.966{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4009B4084AF7FC42B9935D2F04ADBB3C,SHA256=4B7B66992A18BB363E1BE33BEC73E9F66B2CAF31E9AD0B28CF141C651DD62663,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:30.652{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FF26-63D0-A702-00000000BB02}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:30.652{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:30.652{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:30.652{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:30.652{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:30.652{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:30.652{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:30.652{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:30.652{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:30.652{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:30.652{72106695-ED07-63D0-0500-00000000BB02}408524C:\Windows\system32\csrss.exe{72106695-FF26-63D0-A702-00000000BB02}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:30.652{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FF26-63D0-A702-00000000BB02}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:30.653{72106695-FF26-63D0-A702-00000000BB02}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000037754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:30.211{72106695-FF25-63D0-A602-00000000BB02}36961076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:30.611{45AAC21C-ED4E-63D0-9300-00000000BA02}1336888C:\Windows\Explorer.EXE{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+7d960|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF801D850B2A8)|UNKNOWN(FFFFC72308993998)|UNKNOWN(FFFFC72308993B17)|UNKNOWN(FFFFC7230898E1A1)|UNKNOWN(FFFFC7230898FB6A)|UNKNOWN(FFFFC7230898DE26)|UNKNOWN(FFFFF801D817FC03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+811bb|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd 10341000x800000000000000082135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:30.611{45AAC21C-ED4E-63D0-9300-00000000BA02}1336888C:\Windows\Explorer.EXE{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7d441|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF801D850B2A8)|UNKNOWN(FFFFC72308993998)|UNKNOWN(FFFFC72308993B17)|UNKNOWN(FFFFC7230898E1A1)|UNKNOWN(FFFFC7230898FB6A)|UNKNOWN(FFFFC7230898DE26)|UNKNOWN(FFFFF801D817FC03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+811bb|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000082134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:30.611{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF46d0c8.TMPMD5=C74EB0A77229C73FC938504EFE8FBD57,SHA256=48ADD4ADC5A56D2981F0FBB46AEAA5E26233DF7663F86B735CA55CB72B721A6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:31.973{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7959D52B34201EDF049F7F933250E1C3,SHA256=3A0F59DCB273A85FE20DC23F8755554726D113236B900265B568CE3EFEC17A90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:31.152{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=992EEF3D2E2E30D10F0D26989EC2F0A1,SHA256=17A32334FD750E216DA9E6CBB4BA01413252DDD70283BAF9DD615813F23BB793,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:32.939{72106695-ED0A-63D0-2B00-00000000BB02}28762896C:\Windows\system32\conhost.exe{72106695-FF28-63D0-A802-00000000BB02}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:32.939{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:32.939{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:32.939{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:32.939{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:32.939{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:32.939{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:32.939{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:32.939{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:32.939{72106695-ED08-63D0-0C00-00000000BB02}720764C:\Windows\system32\svchost.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:32.939{72106695-ED07-63D0-0500-00000000BB02}4082644C:\Windows\system32\csrss.exe{72106695-FF28-63D0-A802-00000000BB02}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000037772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:32.939{72106695-ED09-63D0-2000-00000000BB02}20083152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-FF28-63D0-A802-00000000BB02}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000037771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:32.940{72106695-FF28-63D0-A802-00000000BB02}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-ED08-63D0-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000082144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:32.383{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED0B-63D0-1600-00000000BA02}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:32.383{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED0B-63D0-1600-00000000BA02}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:32.383{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED0B-63D0-1600-00000000BA02}1324C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:32.313{45AAC21C-ED0A-63D0-0D00-00000000BA02}9041244C:\Windows\system32\svchost.exe{45AAC21C-ED0A-63D0-1200-00000000BA02}408C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:32.313{45AAC21C-ED0A-63D0-0D00-00000000BA02}9041244C:\Windows\system32\svchost.exe{45AAC21C-ED0A-63D0-1000-00000000BA02}444C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000082139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:29.695{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49578-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000082138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:32.082{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E21376B8A84BDC2DF8CB0EEACDF0317E,SHA256=386E65E6B0558C9C3A547AFCAF39B5E42DD366E9FC8466694B50B5210BFEF9E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:33.048{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4825AC833F270234D362D8A9FA3E40F,SHA256=6340DBE24BD489FE3A332B14B9F8019248EE7D5F4F1F6F37C635C1F047067EFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:33.183{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0625DFA8B87D88CFAF3A2A25AE281925,SHA256=3997F50B2F10CAED5968DCB6465374418D143D1D48A3FEE4CDEFF0A5251013CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:34.299{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BED39394A7B491B4534F1502284F7C30,SHA256=A808C207BDDB267E079CFCD0287E3244BD126E42B8EF4F59EE41324CD6013019,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:32.134{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50623-false10.0.1.12-8000- 23542300x800000000000000037786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:34.156{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E45AFB580186D79958F0FC3543DC39D8,SHA256=5E838F0B080E981983909E7198F19CCDC2A808C9C42992BA80F70F6182A0D402,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:34.062{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4777CA860206E711B474441468C148CB,SHA256=72FB7D68192E8586F06B6D0C4D25DEB33C35E311D120517CE55B04E1793551A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:35.399{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4D694D8AFCA081AB2DF1209F160456E,SHA256=168DB5FFCD991DB9EAAD7A98F477E6D5DBB1A3E040C88CCFEAF0B51F43C97459,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:35.133{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DDD16A2777EC213F39EF2DB13C3BBB6,SHA256=E30939A43A2A102428715C00FE6AA7C47F647153F7EC31AB309CB4F25E2D4727,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:36.499{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C022CC041992305CD567110625DE285,SHA256=56DB1E9CB12AB2B7740F855F71825DDCF91CE595A0507AB611FC7BFDB355B121,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:36.235{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6D36CAA87DCFD2091273C55726E57F6,SHA256=32C75CFF23C40C2FCFC13A262DDDB1D662569E8A633530DE157F3A68062D453C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:37.616{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E253637B57111AFE7F7517C5443BB3A3,SHA256=161605489C9A08219CEB02E285C25360827FF351D59FB8B468D3D053586DBCE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:37.326{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E74A09AF5619460B124011CCA036AA5,SHA256=E9D0E4C401501EC2889F201072BC5E08CA4E541B7AA450E8590874E5CEC07F7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:38.634{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99F5E458785530351AE71EA0736A6D57,SHA256=E00326D45996D0022562925DD19AF489E46A8F552B8EA080E328BEEE60E9C2A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:38.428{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61D1F2C1E8B806DF59C48B7FA067B8B3,SHA256=CF6442DCF050419A6309F60B220EF7D53704DEC6642B40E189E4C38A903A88A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:35.699{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49579-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000082152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:39.720{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0056CB26F7D4CF3AD8FFF1B39031C3D0,SHA256=F75437F0CDE488AF5A135D71DCE6AE176D6F532AA2529FBD0978EB41D708BE1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:39.527{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AA7089C280C062670A8236ED2FF9EEF,SHA256=A80B83966B49443DD64202C6096044C6C9B25FEB2D39F4CABEEC1CC93D302B80,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:40.963{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1000-00000000BA02}444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000082159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:40.936{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0F00-00000000BA02}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000082158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:40.926{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0E00-00000000BA02}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000082157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:40.909{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0D00-00000000BA02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000082156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:40.885{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0C00-00000000BA02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 23542300x800000000000000082155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:40.831{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDE3F36E27A7FD5FAC29D359915CD9F3,SHA256=8B4A2A2987D7173F7B2CB88B834373A0C8F075BD762924EEABD497C292BD16EF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:40.826{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000082153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:40.823{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0900-00000000BA02}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000037806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:40.976{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1500-00000000BB02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000037805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:40.968{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1400-00000000BB02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000037804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:40.962{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1300-00000000BB02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000037803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:40.956{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1200-00000000BB02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000037802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:40.946{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1100-00000000BB02}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000037801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:40.936{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1000-00000000BB02}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000037800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:40.929{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0F00-00000000BB02}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000037799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:40.919{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0E00-00000000BB02}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000037798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:40.909{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0D00-00000000BB02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000037797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:40.898{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000037796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:40.881{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0B00-00000000BB02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000037795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:40.876{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0900-00000000BB02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 354300x800000000000000037794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:38.125{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50624-false10.0.1.12-8000- 23542300x800000000000000037793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:40.605{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0C08E4315319646306A40BF9B873794,SHA256=60EFF5A5A9D897FDA8FA697EA20555639284331DA6F92CD9D85928DC8C1EA6CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:41.808{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB99A8AE3A9E5E93C855AEEB7EC64FD1,SHA256=9F6FAEF1EBB7743738D07857F51B7C0545BE951F598DE637E7CC923716526912,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:41.954{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2E00-00000000BA02}2692C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000082178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:41.950{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000082177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:41.947{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2B00-00000000BA02}2664C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 23542300x800000000000000082176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:41.874{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D19D692B24AF543CD344F1EC22C9285E,SHA256=D0C3F76186D9BCEB61CFF84C4145870AC7F6914F2E6403CC5C7EBA1A015B7847,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:41.156{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000082174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:41.148{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000082173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:41.139{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000082172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:41.118{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2700-00000000BA02}2576C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000082171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:41.115{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2600-00000000BA02}2568C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000082170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:41.103{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2500-00000000BA02}2484C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000082169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:41.099{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED14-63D0-2300-00000000BA02}2340C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000082168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:41.095{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1800-00000000BA02}1992C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000082167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:41.093{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1700-00000000BA02}1492C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000082166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:41.084{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1600-00000000BA02}1324C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000082165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:41.060{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1500-00000000BA02}1152C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000082164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:41.041{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1400-00000000BA02}344C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000082163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:41.032{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1300-00000000BA02}364C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000082162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:41.018{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1200-00000000BA02}408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000082161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:41.001{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1100-00000000BA02}704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000037823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:41.078{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FB5F-63D0-3102-00000000BB02}3068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000037822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:41.076{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED83-63D0-8200-00000000BB02}508C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000037821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:41.073{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED1B-63D0-6D00-00000000BB02}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000037820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:41.071{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000037819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:41.070{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-4000-00000000BB02}1980C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000037818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:41.067{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-3C00-00000000BB02}2964C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000037817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:41.066{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2B00-00000000BB02}2876C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000037816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:41.065{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2600-00000000BB02}2596C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000037815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:41.063{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2500-00000000BB02}2436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000037814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:41.061{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2200-00000000BB02}1172C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000037813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:41.057{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000037812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:41.045{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000037811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:41.042{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1C00-00000000BB02}1892C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000037810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:41.040{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1A00-00000000BB02}1856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000037809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:41.033{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1800-00000000BB02}1732C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000037808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:41.030{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1700-00000000BB02}1240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 10341000x800000000000000037807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:41.017{72106695-ED09-63D0-1F00-00000000BB02}20002968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1600-00000000BB02}1192C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180610) 23542300x800000000000000082188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:42.973{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8237C124C7755D22EA3BD739DA9C5F7B,SHA256=F0AE49B7BD0B66A5CB7114A2BFD20643B6579F07D27BA4A3DFEB29C984B350A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:42.788{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FF32-63D0-F203-00000000BA02}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:42.788{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:42.788{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:42.788{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:42.788{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:42.788{45AAC21C-ED08-63D0-0500-00000000BA02}420788C:\Windows\system32\csrss.exe{45AAC21C-FF32-63D0-F203-00000000BA02}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000082181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:42.788{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FF32-63D0-F203-00000000BA02}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000082180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:42.788{45AAC21C-FF32-63D0-F203-00000000BA02}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000082210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:43.988{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3300-00000000BA02}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000082209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:43.987{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3100-00000000BA02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000082208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:43.985{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2F00-00000000BA02}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 23542300x800000000000000037825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:43.127{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B1096680C8195E96857D1B3C8D77B2A,SHA256=E9B6543EC70817C0101988564B7370EC265E9D859159A23B837D005B63D15431,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:43.853{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34998A335C108E2F08A539AE286FC7E7,SHA256=20E168C7376972C57EECE3482C1B3E53E2206FDB2A83AAEA53F84E903803B04B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:43.783{45AAC21C-FF33-63D0-F303-00000000BA02}68167380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000082205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:43.732{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=23ED78E279262B05B0688087681542F1,SHA256=4E59B3A563071DC1F1C16BD9948A945B668919EF4BB3AF5650955A1D299FD0D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:43.730{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FF33-63D0-F303-00000000BA02}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000082203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:43.729{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FF33-63D0-F303-00000000BA02}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000082202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:43.729{45AAC21C-ED5C-63D0-A400-00000000BA02}53205348C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FF33-63D0-F303-00000000BA02}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838610) 10341000x800000000000000082201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:43.622{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:43.622{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:43.622{45AAC21C-ED08-63D0-0B00-00000000BA02}636308C:\Windows\system32\lsass.exe{45AAC21C-ED0A-63D0-1000-00000000BA02}444C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:43.603{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED5C-63D0-A400-00000000BA02}5320C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:43.458{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FF33-63D0-F303-00000000BA02}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:43.458{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:43.458{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:43.458{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:43.458{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:43.458{45AAC21C-ED08-63D0-0500-00000000BA02}420436C:\Windows\system32\csrss.exe{45AAC21C-FF33-63D0-F303-00000000BA02}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000082191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:43.458{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FF33-63D0-F303-00000000BA02}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000082190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:43.458{45AAC21C-FF33-63D0-F303-00000000BA02}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000082189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:40.815{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49580-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000037826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:44.216{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F155800F49EC19D1B7CF305A5DE39428,SHA256=08AABABED30563C8CA0F6B65CD970867554E42BE72D638FF3C7F7E080F8C4940,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:44.746{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000082249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:44.743{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE59-63D0-D803-00000000BA02}8160C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000082248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:44.740{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE39-63D0-D003-00000000BA02}4868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000082247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:44.737{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE36-63D0-CF03-00000000BA02}6108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000082246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:44.731{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE36-63D0-CE03-00000000BA02}3640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000082245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:44.723{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99E-63D0-4403-00000000BA02}4716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000082244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:44.710{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4303-00000000BA02}220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000082243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:44.705{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F993-63D0-3A03-00000000BA02}5848C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000082242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:44.703{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3403-00000000BA02}8152C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000082241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:44.699{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3303-00000000BA02}5868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000082240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:44.697{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3203-00000000BA02}1380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000082239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:44.689{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3103-00000000BA02}7700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000082238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:44.655{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000082237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:44.639{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000082236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:44.638{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A202-00000000BA02}5720C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000082235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:44.636{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A102-00000000BA02}7492C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000082234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:44.632{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F3FF-63D0-5202-00000000BA02}7716C:\Program Files\Process Hacker 2\ProcessHacker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000082233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:44.629{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED93-63D0-C200-00000000BA02}5684C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000082232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:44.606{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 23542300x800000000000000082231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:44.600{45AAC21C-ED18-63D0-2C00-00000000BA02}2672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C6B075CA2A549E7DA477CE44AF03FA7D,SHA256=A7C344CF49256E3D6CFBF9A947D7FD56D125FAC57EA2B1621B707E4BC2D80910,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:44.594{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000082229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:44.562{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000082228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:44.555{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-8E00-00000000BA02}432C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000082227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:44.542{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4D-63D0-8900-00000000BA02}4888C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000082226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:44.536{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED36-63D0-8100-00000000BA02}4176C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000082225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:44.535{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED35-63D0-7F00-00000000BA02}3432C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000082224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:44.530{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED2C-63D0-7B00-00000000BA02}532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000082223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:44.514{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000082222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:44.513{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1B-63D0-4500-00000000BA02}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000082221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:44.510{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-4100-00000000BA02}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000082220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:44.509{45AAC21C-ED5C-63D0-A400-00000000BA02}53205356C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-3800-00000000BA02}3276C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000082219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:44.322{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FF34-63D0-F403-00000000BA02}6656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:44.322{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:44.322{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:44.322{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:44.322{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:44.322{45AAC21C-ED08-63D0-0500-00000000BA02}420536C:\Windows\system32\csrss.exe{45AAC21C-FF34-63D0-F403-00000000BA02}6656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000082213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:44.322{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FF34-63D0-F403-00000000BA02}6656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000082212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:44.323{45AAC21C-FF34-63D0-F403-00000000BA02}6656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000082211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:44.067{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C7DB3F78B021FA5B4CD283EFC10F2CB,SHA256=F9DD378A0AC96E7FA75D4BC2463FEE6A540B726F06DBBD95FE3BFC9F6ACCF5E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:45.305{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75AB71082BF2D8F787BA9DD277D027F5,SHA256=B1BA19B24F610ED1F44B884032A4FB7916F4D1AA0C99D52DF1575F4EB2246586,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:43.753{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local49581-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 354300x800000000000000082252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:43.753{45AAC21C-ED18-63D0-2700-00000000BA02}2576C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local49581-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap 23542300x800000000000000082251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:45.410{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BF04E54EC3CBD57328DE02F4F488669,SHA256=2B4DE3135135A8BED606CCEF903DCDF96C90A4C7C8AB1123D679B524B28B857E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:46.394{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=715977FE66809F9FE04825EEA1B62BCA,SHA256=4B4FEC81C020C4B888BEF092467EF204B228804D11A2C92C8C38BF7A4422B1AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:46.755{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ilosieif.default-release\datareporting\glean\db\data.safe.binMD5=5D3AFFCF70EB1B6BD952062FEA0CD4EF,SHA256=81AD2D028E3038D396D2AC437B80D7091D121DE616132627079FEF2429875B61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:46.457{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D32D10A6B37F1747728BDFECE2A40A7,SHA256=03AA4290C4D6E226ACAE93C435A10A1D3D4ED3669552CB207ECBBCD4E5165B7A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:46.457{45AAC21C-FF36-63D0-F503-00000000BA02}63727892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:46.273{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FF36-63D0-F503-00000000BA02}6372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:46.273{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:46.273{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:46.273{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:46.273{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:46.273{45AAC21C-ED08-63D0-0500-00000000BA02}420536C:\Windows\system32\csrss.exe{45AAC21C-FF36-63D0-F503-00000000BA02}6372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000082255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:46.273{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FF36-63D0-F503-00000000BA02}6372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000082254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:46.274{45AAC21C-FF36-63D0-F503-00000000BA02}6372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000037830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:47.488{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=219A3AC37B79F3FBC1B67E63209D456D,SHA256=BA000D2A4B74F39E38651B480867BCC1FD5A6A9B4C90215774BCFF30D01ED245,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:47.974{45AAC21C-FF37-63D0-F703-00000000BA02}73886800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:47.702{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FF37-63D0-F703-00000000BA02}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:47.697{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:47.697{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:47.696{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:47.696{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:47.696{45AAC21C-ED08-63D0-0500-00000000BA02}420788C:\Windows\system32\csrss.exe{45AAC21C-FF37-63D0-F703-00000000BA02}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000082276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:47.695{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FF37-63D0-F703-00000000BA02}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000082275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:47.695{45AAC21C-FF37-63D0-F703-00000000BA02}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000082274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:47.574{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C805C743AB44EB5F6A905F36989390E5,SHA256=F8EC1A5D01A518FC90694DCEA836C9EFD35FF46FFC7A7C5291E132483CBEE0ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:44.092{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50625-false10.0.1.12-8000- 10341000x800000000000000082273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:47.395{45AAC21C-FF37-63D0-F603-00000000BA02}64007464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:47.194{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FF37-63D0-F603-00000000BA02}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:47.194{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:47.194{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:47.194{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:47.194{45AAC21C-ED08-63D0-0500-00000000BA02}420780C:\Windows\system32\csrss.exe{45AAC21C-FF37-63D0-F603-00000000BA02}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000082267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:47.194{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:47.194{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FF37-63D0-F603-00000000BA02}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000082265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:47.194{45AAC21C-FF37-63D0-F603-00000000BA02}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000037831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:48.584{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6531BCBAED7C007ABC4C5D7DB0CA75C1,SHA256=6A2C0DBDBD7592D6F61F926F3A837E6AE164F6198FC2E0D1360043D93CB8D752,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:48.697{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B9BB4A518B0C353B166F516051AE995,SHA256=044B837A22DEFC257755A0A6FF0B0CDEDCFE831334E9A948CFBF69B07B545F32,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:46.757{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49582-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000082295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:49.898{45AAC21C-ED1A-63D0-3800-00000000BA02}32763296C:\Windows\system32\conhost.exe{45AAC21C-FF39-63D0-F803-00000000BA02}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:49.895{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:49.895{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:49.895{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:49.895{45AAC21C-ED0A-63D0-0C00-00000000BA02}848376C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:49.894{45AAC21C-ED08-63D0-0500-00000000BA02}420780C:\Windows\system32\csrss.exe{45AAC21C-FF39-63D0-F803-00000000BA02}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000082289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:49.894{45AAC21C-ED18-63D0-2C00-00000000BA02}26721604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-FF39-63D0-F803-00000000BA02}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000082288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:49.893{45AAC21C-FF39-63D0-F803-00000000BA02}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-ED08-63D0-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000082287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:49.814{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAA1A9A2025EDCBD807D2F9A715F3030,SHA256=24066965BC8BB9107A93539009F99E27CB74F1E4E88BB27656D63A391AD3F428,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:49.716{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=D89C138CC174EE014377AAD9F4096D94,SHA256=0BA770E0CBD07446BDF3CC585BC52C59A58EB030159AC35FC56A6B8C6FA2C06D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:49.682{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56501247C8F1CE7E8DA7B4EE681420AD,SHA256=C8A1819F632725E596356EF1C53AD1DE551F5F1D4DDB242CD309E52529F9A39F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:50.830{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E18E4796A08BDE29817EE24C87A4756,SHA256=F7397720C8F57287B8CBA1F06BC0F29D17DA0A2E303F86774D1C5670448BD50E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:50.784{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8802B173B74695D1E31FABC019C9B19C,SHA256=280899B47A599B15881FEC0AFBDBBFFFF0C222A2F30362E91B3D6BDCA01611E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:50.077{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FF39-63D0-F803-00000000BA02}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6bb24|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:50.077{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FF39-63D0-F803-00000000BA02}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6b9d3|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6eb75|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:50.077{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FF39-63D0-F803-00000000BA02}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e0ad|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:50.077{45AAC21C-F3FF-63D0-5202-00000000BA02}77167800C:\Program Files\Process Hacker 2\ProcessHacker.exe{45AAC21C-FF39-63D0-F803-00000000BA02}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5d74|C:\Program Files\Process Hacker 2\ProcessHacker.exe+c0334|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6c33f|C:\Program Files\Process Hacker 2\ProcessHacker.exe+6e018|C:\Program Files\Process Hacker 2\ProcessHacker.exe+dd838|C:\Program Files\Process Hacker 2\ProcessHacker.exe+af074|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000082302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:51.933{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9D499F20202AAD75F860E3BCCB12896,SHA256=C8D134758CFB0523C7B63BA54DAC5690A25D6AB1E8318C7B31836661F81395F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:51.857{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EB485774D4A97DB57A6173D3ECA3BF5,SHA256=EEF014864577DD78AE71FF1EC5AA54CD65B6549356419887062E805C449E0A1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:51.031{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1CFCE647D94E287CF3567EA1A4FA54B9,SHA256=FD8BB413FA766E25BEE1A897003F20B6FD75A967BF0BBBECA9E8ABD1342ABCE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:52.944{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AA5455185AFCDB121DABDFF1E0B78DD,SHA256=38F5F4FD93D74239B22971A564906798C9B4BC8FA9EC782554C4F3B495E6A092,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:51.846{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49583-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000082303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:53.062{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CA1C40D234F0E8A6BC4A304DCD2876B,SHA256=09ECCB56CF6A9CE01A3A93AB3FA457AD6729841542D0C9699C19B8F5E807274C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:50.007{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50626-false10.0.1.12-8000- 23542300x800000000000000082305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:54.131{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60689F30F847DBDB86F249F83A763BF0,SHA256=66799D2E6A19434EB91975D373C0D10B072800B97BDE1547CD07D37EAD52BF83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:54.035{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57906DE0B0A101488620297F4DE3A402,SHA256=B38674BA256A71BA67164B5E35D27E7919DC97A974C389DC7BD3B7086AE06CCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:55.162{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94C1A55B8108D7A2A8732B7EE6526EDF,SHA256=896F376B92A0D5F58BB5D876B1ADCCD4E254201AED2FC6E2300B4CE8075892D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:55.125{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2647DF12A755B18F08F107B385A1A596,SHA256=82989BEC29968A513FA04261E1DA8F9E16BF7C727CE5230E77E7D1821A779F6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:56.719{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ilosieif.default-release\datareporting\glean\db\data.safe.binMD5=56D312F81F6F4C70CBF5052582A5E99C,SHA256=71CE6390BFCED6434AEED8F6806658FCC5BA6E16672F68425F449B6DDECDB160,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:56.234{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE5A158462C84500A086A22E79756B48,SHA256=090D346A97DB67BBBBF1CC2E47728F0D2D28D1281FB8296A2A53E836F0ED3ACB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:56.207{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D087DAB7F186B56D740EA8D608D54B8,SHA256=A3C68CFE0D65C1A53CB9735D623D857F13B50733E240CF8B67C6DBD2FD5CB9DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:57.335{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6199812EEF8D5B5C4780833C1785EF95,SHA256=FB7BF0EBF5257C32FDCD7624DEDF2CD12576B97718E2223C62FA832FCD090E34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:57.793{72106695-ED09-63D0-2000-00000000BB02}2008NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=6CD33A67D88A14A4925E1561269F26CE,SHA256=6CEF195B2EE210A4664D084BA65ED33E9B7C1C716EFCD7E92579675BBCDA2EB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:57.307{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DBD5C22207D7156C5415AF4939B4760,SHA256=0CAC0DC32EF9DAAA1F1CAA9E458DF3D9773BFAAC32FBFBC5E3201B60CD7DDA7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:58.382{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E8D5EF8D6158CB051EEEBFC808439F3,SHA256=4DF54140E6EF5D0C822AC5D8E2D52A360818E81536E14EC3E3394685CD9162A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:58.407{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D05C6F1BE8B95982633016BAC295029,SHA256=D85553A54C06265AF37BCC6A5C7550882221AF7796126C860D546CC569A40710,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:57.730{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49584-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000082311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:06:59.500{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF262B1C795A01C54A4F0E7D4144611D,SHA256=63755C4351E033DE914B4F3121B0122086CE08FA49DD1CAB3FDA31D41D78C307,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:59.489{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D8ECFCBB72D19A189F460E8C986E9FE,SHA256=97457C28F6A7230E8AFF93E6AD082AFD639204C1C62FD331C7348754E4B0C163,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:06:56.014{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50627-false10.0.1.12-8000- 10341000x800000000000000082321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:00.985{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1100-00000000BA02}704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000082320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:00.946{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1000-00000000BA02}444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000082319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:00.922{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0F00-00000000BA02}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000082318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:00.905{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0E00-00000000BA02}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000082317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:00.888{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0D00-00000000BA02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000082316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:00.877{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0C00-00000000BA02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000082315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:00.820{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000082314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:00.815{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0900-00000000BA02}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 23542300x800000000000000082313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:00.584{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8753F46EB487B7BAD779E550D3C47C16,SHA256=C96C51908B8F91D6990359B894ED19F0C5F9D0FCD92D6DD4517A0EC26CB258AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000037858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:07:00.996{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1600-00000000BB02}1192C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000037857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:07:00.964{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1500-00000000BB02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000037856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:07:00.958{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1400-00000000BB02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000037855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:07:00.945{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1300-00000000BB02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000037854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:07:00.934{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1200-00000000BB02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000037853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:07:00.922{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1100-00000000BB02}972C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000037852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:07:00.915{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-1000-00000000BB02}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000037851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:07:00.910{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0F00-00000000BB02}900C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000037850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:07:00.902{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0E00-00000000BB02}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000037849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:07:00.897{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0D00-00000000BB02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000037848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:07:00.882{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000037847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:07:00.876{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0B00-00000000BB02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000037846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:07:00.873{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED08-63D0-0900-00000000BB02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 23542300x800000000000000037845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:07:00.584{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1869FCBC0C7BF8816708A37C27FCAE7,SHA256=861F9E35EC0775896DDB2685AA6208AD1FCFC50302B584C214F471C5A105B20D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:07:01.905{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=713A8B4B9983968AA63F58E8FA0AB86A,SHA256=7E7EF79149876515C8258EEC217D853945089CD80C692F126B6943452ADA1C0A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:01.806{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2E00-00000000BA02}2692C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000082338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:01.799{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000082337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:01.787{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2B00-00000000BA02}2664C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 23542300x800000000000000082336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:01.618{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FCD0DC2099EAC59B0E17B61BE0C98B8,SHA256=278664BE17642239C8AB9C5E682C0BAE1E416704A26397A270991AEC9D60FB48,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:01.132{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2A00-00000000BA02}2652C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000082334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:01.125{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2900-00000000BA02}2636C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000082333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:01.115{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2800-00000000BA02}2584C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000082332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:01.096{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2700-00000000BA02}2576C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000082331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:01.094{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2600-00000000BA02}2568C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000082330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:01.076{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2500-00000000BA02}2484C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000082329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:01.068{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED14-63D0-2300-00000000BA02}2340C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000082328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:01.064{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1800-00000000BA02}1992C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000082327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:01.062{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1700-00000000BA02}1492C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000082326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:01.052{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0B-63D0-1600-00000000BA02}1324C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000082325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:01.031{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1500-00000000BA02}1152C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000082324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:01.024{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1400-00000000BA02}344C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000082323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:01.014{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1300-00000000BA02}364C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000082322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:01.000{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1200-00000000BA02}408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000037874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:07:01.071{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-FB5F-63D0-3102-00000000BB02}3068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000037873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:07:01.066{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED83-63D0-8200-00000000BB02}508C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000037872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:07:01.065{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED1B-63D0-6D00-00000000BB02}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000037871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:07:01.061{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000037870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:07:01.061{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-4000-00000000BB02}1980C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000037869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:07:01.058{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0B-63D0-3C00-00000000BB02}2964C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000037868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:07:01.056{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2B00-00000000BB02}2876C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000037867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:07:01.054{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED0A-63D0-2600-00000000BB02}2596C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000037866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:07:01.051{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2500-00000000BB02}2436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000037865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:07:01.046{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2200-00000000BB02}1172C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000037864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:07:01.043{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-2000-00000000BB02}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000037863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:07:01.029{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1E00-00000000BB02}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000037862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:07:01.027{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1C00-00000000BB02}1892C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000037861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:07:01.024{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1A00-00000000BB02}1856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000037860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:07:01.011{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1800-00000000BB02}1732C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 10341000x800000000000000037859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:07:01.008{72106695-ED09-63D0-1F00-00000000BB02}20002924C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-ED09-63D0-1700-00000000BB02}1240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A8F43D0) 23542300x800000000000000082340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:02.707{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=546CD585D1EC536861102ABAA32F0958,SHA256=91277DFB651A642FF8291C4B0AA7FBD80116302C9DBDD2838BDD02CD0EEE95F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:03.847{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3300-00000000BA02}2444C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000082343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:03.845{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED19-63D0-3100-00000000BA02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000082342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:03.843{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED18-63D0-2F00-00000000BA02}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 23542300x800000000000000082341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:03.772{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A212E0094738D68E093D8FEB6F69C21,SHA256=A8499613A58CEC36E3874A759C9106A929089BBB443F5462CA1A9D88E8D4D87B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:07:03.100{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCDA193A254644F921A4FA65802E0FEE,SHA256=E2714A654EC1C889FC20399D60B6D0ED5BB1073B0F0029FEA9B4610E03B9A017,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:04.886{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE6D-63D0-D903-00000000BA02}4816C:\Users\Administrator\Downloads\asyncrat\bin\asyncrat.bin0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000082375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:04.881{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE59-63D0-D803-00000000BA02}8160C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000082374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:04.877{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE39-63D0-D003-00000000BA02}4868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000082373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:04.874{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE36-63D0-CF03-00000000BA02}6108C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 23542300x800000000000000082372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:04.862{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0F5A3C61AA60E08BA8D7542A86463A3,SHA256=562BCD67D9FDB8C76A810E779E35DB566CE72480CAA55DD5D9FD7BA43793B02B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:04.862{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-FE36-63D0-CE03-00000000BA02}3640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000082370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:04.856{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99E-63D0-4403-00000000BA02}4716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000082369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:04.851{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F99D-63D0-4303-00000000BA02}220C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000082368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:04.845{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F993-63D0-3A03-00000000BA02}5848C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000082367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:04.837{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3403-00000000BA02}8152C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000082366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:04.830{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98F-63D0-3303-00000000BA02}5868C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000082365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:04.828{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3203-00000000BA02}1380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000082364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:04.797{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98E-63D0-3103-00000000BA02}7700C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 354300x800000000000000037878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:07:01.934{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50628-false10.0.1.12-8000- 23542300x800000000000000037877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:07:04.197{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=736E6B568CF5F40111455FB04C128C4A,SHA256=63AAD9C18DE2FBED00268CE644AC13C855C4CDCD371CE6B71E731E90F351CF68,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:04.740{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F98D-63D0-3003-00000000BA02}7812C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000082362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:04.681{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F6CE-63D0-DF02-00000000BA02}368C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000082361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:04.675{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A202-00000000BA02}5720C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000082360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:04.667{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F532-63D0-A102-00000000BA02}7492C:\Program Files\Far Manager\Far.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000082359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:04.657{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-F3FF-63D0-5202-00000000BA02}7716C:\Program Files\Process Hacker 2\ProcessHacker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000082358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:04.645{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED93-63D0-C200-00000000BA02}5684C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000082357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:04.568{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 354300x800000000000000082356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:02.856{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49585-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000082355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:04.517{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000082354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:04.447{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000082353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:04.417{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4E-63D0-8E00-00000000BA02}432C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000082352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:04.394{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED4D-63D0-8900-00000000BA02}4888C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000082351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:04.388{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED36-63D0-8100-00000000BA02}4176C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000082350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:04.385{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED35-63D0-7F00-00000000BA02}3432C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000082349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:04.381{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED2C-63D0-7B00-00000000BA02}532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000082348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:04.372{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000082347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:04.368{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1B-63D0-4500-00000000BA02}3632C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000082346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:04.361{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-4100-00000000BA02}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000082345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:04.359{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED1A-63D0-3800-00000000BA02}3276C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 23542300x800000000000000082377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:05.844{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8772EC518BC3D8676E2E0E26D74A6851,SHA256=A10AF9A7418311C3F125C5443BCBF9F8BCED054D00602E775FC0775564D73FC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:07:05.266{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8396042F27E70F7F03DEADD8ACC64275,SHA256=8901BD31CF9D85B649200EBB7C199E37F397517D3EFF1E0FF8DEFD402E0DDC69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:06.930{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=577077961387F38CE5843BAED139274D,SHA256=DE1F40D2B5DCFA5EDDCD574B2165C1AB3EFD69E9D3C941302D98C8AF65A06FE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:07:06.356{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DF361128364FDF72E4C73EEE98D9F05,SHA256=C094D4D1FB8EFC550B531BA53C39041ED03B364068662AF8973DA05C2D09FE09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:07:07.448{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B32D2B0641B4A9E010277E2EC7FE1B58,SHA256=C2CC90E73B355030192B82000F6DF728732E32B55BAB6B70631DB64623B39BAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:07:08.541{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5562F539DADAE35CD70628D66D10C87,SHA256=335883409C90FB994AC1F4D7A114588D0C8273CDA910AA552EE1D33A09550DC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:08.046{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=748B777F9B04AA5A04F0F400E2DF4D44,SHA256=EF7734EAAAFEE1C5CAD7CB41BFB94F89F0A6966AAFB39937DD5A058FB0669907,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:07:09.641{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8938632DBFF6B8DBC58A5C467FC31918,SHA256=E764FE63DE7254DB3D752094EDE649A6696028BC77A9E153AFAB6CD8BFED19B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:09.131{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1D73E594D9B0704C5680B8776998217,SHA256=6394BDE6F22D668A4CF9948EEC4CC2073A88F920ADE2EA6AED5450A0454E344D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:07:07.100{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50629-false10.0.1.12-8000- 23542300x800000000000000037885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:07:10.741{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F3B70F8766F87C0BEF3326F0FE0ABE5,SHA256=A47AFD6F19FDE8EA09C7AD14452602C8167A4CC48400D778FC73A8979DE4C47D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:08.778{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49586-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000082381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:10.232{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B200C34545CAEF01FD452577938DA1E,SHA256=10083F604B151BD771D0A40389EBF1EC222D52F3F98C21C8EF8D85D09DDB70A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:07:11.819{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CC1C8D30F2A8D349223B0A83C24EB83,SHA256=9322670C21AB24E7895B656EF0547136001BD8858DAE551FAF1B9879F8B56D8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:11.314{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=654697CA3011A0C33F9DF48CB0F47CA1,SHA256=E88F07810B54D0A2B5A7E7CE90720B1649959EC036F9826BD31BF9F210FDA6A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:07:11.165{72106695-ED09-63D0-1C00-00000000BB02}1892NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\respondent-20230125084915-075MD5=4A845FE96E1CB901D2D7264E475C5D0A,SHA256=805658FE4E43678F2368D193C16F752D5AE58460E17C63B3F32526AFB5DF27A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:07:12.912{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=254DFEFA93DB6A8690E67317C9579F07,SHA256=2CAD3EA830E090D0DCEE5FF999D5850CA04BBDA31C715679F1F0B82B7C99A10D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:12.581{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A10825EF6AD75D094228F5248BC0BDC7,SHA256=79EDE74D56CDAAC22E2EDE4CCD950DC6F6D6847B84C6B94C30ACE7C424EDCD60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:07:12.164{72106695-ED09-63D0-1C00-00000000BB02}1892NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\surveyor-20230125084913-076MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:12.315{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:12.315{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:12.315{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:12.314{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:12.314{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:12.314{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:12.314{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:12.314{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:12.314{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:12.314{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5A-63D0-A200-00000000BA02}2468C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:12.314{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:12.314{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:12.314{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:12.314{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:12.313{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:12.313{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:12.313{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:12.313{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:12.313{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:12.313{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:12.313{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:12.313{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:12.313{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:12.313{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:12.313{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:12.313{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:12.313{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:12.313{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:12.312{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:12.312{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED4E-63D0-9300-00000000BA02}1336C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:12.312{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:12.312{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:12.312{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:12.312{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:12.312{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:12.312{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:12.312{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED5B-63D0-A300-00000000BA02}2792C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:12.312{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2B00-00000000BA02}2664C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:12.312{45AAC21C-ED0A-63D0-0D00-00000000BA02}904924C:\Windows\system32\svchost.exe{45AAC21C-ED18-63D0-2B00-00000000BA02}2664C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000082424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:13.651{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EF42CF57A438554370D68E115817E39,SHA256=F27DBD88298844DF0845F11DA998929B97D597F4A7020F616BAB43885A508FE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:14.736{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA9051237F03F3237B0A1D633B92A6ED,SHA256=0CFA3FEDCC1631C33E90D5437D83A55B9146DD29A92A03EE4CC555EA124C4F14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:07:14.706{72106695-ED08-63D0-1100-00000000BB02}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=0B856E9E6B415C92E0497744703D1B24,SHA256=CA7EE0D2ACF916E3E44BF0B697B1E49BA98ED018D2C0A995AD469F68BEE89EBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:07:14.012{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6536B61907C1CC5576712D4820295AD2,SHA256=1F5731AAC2A8481D42CFCFC9487B5AFB8BAFCB50C6783642237198C47CE45496,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:15.984{45AAC21C-ED0A-63D0-1100-00000000BA02}704NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=DC52A4D75ADD03E84169A0910DA3C41A,SHA256=4D612DE68A67397B0D4DD5CE9E259F43856B0546FC17B9FECD67B5F44EF7B066,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:15.758{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3554BE46E1CFC34498EA6AA55F3F4FAD,SHA256=46ADDF03754446D814B8B891DC5E69534417C63F2E1C10D9E0F9FD7553FEDF4B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000037893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:07:12.956{72106695-ED14-63D0-6200-00000000BB02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50630-false10.0.1.12-8000- 23542300x800000000000000037892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:07:15.222{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AF664669787307F318F5AB8F6489658,SHA256=12237A71DEDB02C91D4684EB48EB3FF6821624EA82DA93FF757646759B0E8657,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:14.683{45AAC21C-ED25-63D0-7100-00000000BA02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49587-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000082429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:16.851{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A21F9FA9C91AED866A955424B4FD9E17,SHA256=27442D1C11A66578861883FF96CE7E4A1CD5E1BD35637A0BD0640FB59481E1F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:16.783{45AAC21C-F98D-63D0-3003-00000000BA02}7812ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ilosieif.default-release\datareporting\glean\db\data.safe.binMD5=2A9E15B63A25133B139774364D45C4D8,SHA256=8D7A5D02B4825E3005E2D8A6D60D160F30FFC4E0A391D521EBCAF8E89A3F8960,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:07:16.312{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F31CF22BE9B72AAF1ABB53703747A7D7,SHA256=231B0B8DD64F0F9A6EA7D6F154CB78C8465D0174A867781C94C5BCF53762FF34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:17.837{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7AA8CE33C5934D7C031698F9A5953B4,SHA256=C1744E13D0D31C42FF302BDCE3FACE47D6F68298DCCA79185D588A3454174BF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:07:17.392{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85B9E9FBA3BEA972109326B4477C497B,SHA256=785F3FFEFC455F449DF635D57C76A7D912944E832A622206F58D348441A54D09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:17.016{45AAC21C-ED18-63D0-2C00-00000000BA02}2672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C1C259FE124814D47BEA94FDFDDC73F6,SHA256=49F1C36FBB80F97D8E59EFB3673303E383AF7AE764560E6E61C2F75AB0F8CBC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:18.918{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CD509CADC5ADDF0396F1B6F77823789,SHA256=76E940F886DE6242E945DD047853CE1FB69BEB9E44003DABCEEB75F2B3BE3722,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:07:18.490{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFC53055BBDD30A5376005F16C2C11B2,SHA256=A18C981054251E6E95F5A7A6A4F6C1ACCCD1B09102943A656B112011E636AB57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:18.622{45AAC21C-ED18-63D0-2C00-00000000BA02}2672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-25 10:07:19.579{72106695-ED1B-63D0-6D00-00000000BB02}3768NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A22B174FD68F8E205838CF04D86E07F,SHA256=A0E3E623D7CB8F9824A71FDB101A40349A1223E80B0FB6F878215EC5D4B4AC16,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:20.997{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1500-00000000BA02}1152C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000082448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:20.988{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1400-00000000BA02}344C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000082447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:20.983{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1300-00000000BA02}364C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000082446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:20.969{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1200-00000000BA02}408C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000082445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:20.959{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1100-00000000BA02}704C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000082444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:20.915{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-1000-00000000BA02}444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000082443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:20.903{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0F00-00000000BA02}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000082442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:20.892{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0E00-00000000BA02}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000082441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:20.877{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0D00-00000000BA02}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000082440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:20.867{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED0A-63D0-0C00-00000000BA02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 354300x800000000000000082439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:18.250{45AAC21C-ED18-63D0-2C00-00000000BA02}2672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local49588-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 10341000x800000000000000082438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:20.818{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0B00-00000000BA02}636C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 10341000x800000000000000082437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:20.815{45AAC21C-ED5C-63D0-A400-00000000BA02}53205784C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-ED08-63D0-0900-00000000BA02}576C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012D80850) 23542300x800000000000000082436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:20.669{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=98963A700F3FA117FD78F3A6BD57A2AE,SHA256=337595D8F77818E5BC40490CEEBA7B43E5433040AB0B8E017F3C3C6A7DA8D257,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-25 10:07:20.000{45AAC21C-ED2C-63D0-7B00-00000000BA02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D89B293A4FF88840B668C81F7FCEF05D,SHA256=8939C4EF13900D595AE8427C1A73ECAF1864E9D7624E36D1E773D930E1D2DFA1,IMPHASH=00000000000000000000000000000000falsetrue